Meta Platforms Inc., the parent company of Facebook, Instagram and WhatsApp was fined €251 million ($264 million) on Tuesday by Ireland’s Data Protection Commission (DPC) due to a major data breach that occurred in 2018.

This incident exposed the personal information of approximately 29 million users worldwide, including names, email addresses, phone numbers, and even sensitive details like religious beliefs and children’s data.

Read also: Meta unveils Video Seal: The new weapon fashioned against Deepfakes 

The breach and its Impact

Meta disclosed the breach in September 2018. The cause was the unauthorised access of user credentials, which enabled hackers to access accounts.

The DPC’s investigation revealed that Meta failed to implement adequate data protection measures during the design of its systems, violating the General Data Protection Regulation (GDPR). 

DPC Deputy Commissioner Graham Doyle emphasised the seriousness of these failures, stating, “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to severe risks and harms”.

Meta acknowledged the breach, saying it took quick action to fix the problem after it was found.

A company spokesperson stated, “We took immediate action to fix the problem as soon as it was identified”. Despite this assertion, the DPC found that Meta did not provide complete information in its initial breach notification and failed to document necessary compliance steps.

Read also: Meta’s Threads rolls out advanced search features to rival X and Bluesky

Consequences and future implications

The €251 million fine is part of a series of penalties Meta has faced in Europe for various data protection violations.

Earlier this year, the company was fined €91 million for issues related to password security and €1.2 billion for transferring EU user data to the U.S. without proper safeguards. 

The cumulative impact of these fines indicates that European regulators are increasingly scrutinising Meta’s practices.

As privacy concerns continue to rise globally, this case is a stark reminder for tech companies about the importance of robust data protection measures. 

The DPC’s actions reflect a commitment to enforcing GDPR standards and protecting user privacy across Europe. 

Meta has indicated plans to appeal this latest decision, underscoring the ongoing tensions between regulatory bodies and significant tech firms regarding data privacy practices.