---

DPC fines Facebook owner €251 million

The Data Protection Commission has fined Meta €251 million after an investigation into a data breach reported by the company in 2018.

The breach affected around 29 million Facebook accounts globally, of which around three million were based in the EU or EEA.

The categories of personal data affected included names and addresses, email addresses, phone numbers, places of work, religion, and gender.

User tokens

The data watchdog said that the breach arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform.

The breach was remedied by Meta’s Irish arm and its US parent company shortly after its discovery.

The DPC inquiry found four separate breaches of the GDPR data-privacy rules.

The decisions, made by commissioners Dr Des Hogan and Dale Sunderland, included reprimands and an order to pay administrative fines totalling €251 million.

‘Serious risks and harms’

No objections to the decision were raised by the DPC’s equivalent bodies across Europe.

“This enforcement action highlights how the failure to build in data-protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms – including a risk to the fundamental rights and freedoms of individuals,” said deputy commissioner Graham Doyle.

Referring to the information contained on users’ Facebook profiles, he added that the vulnerabilities behind this breach caused “a grave risk of misuse” of these types of data.