It’s an expensive day for Meta. First, Australia announced a $50 million AUD ($31.7 million USD) settlement with the company over the Cambridge Analytica scandal and now the Irish Data Protection Committee (IDPC) has issued Meta a €251 million ($263 million) fine. The IRDC’s fine stems from a personal data breach on Facebook in 2018.
Hackers had exploited a “vulnerability in Facebook’s code,” related to the View As feature, the company said at the time. It allowed them to get hold of users’ access tokens and take over those accounts. The bad actors were able to log on to about 29 million global users’ Facebook accounts, including three million users in the European Union and European Economic Area. They gained access to information such as a user’s full name, email address, phone number, location, date of birth, religion and children’s personal data.
The IDPC holds Meta responsible for not having proper data protection when designing its processing systems, not processing personal data only when specifically necessary and not disclosing all the information about the breach.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” DPC Deputy Commissioner Graham Doyle stated. “By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
In response to the fine, a Meta spokesperson told Engadget, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms.”
Down under, the Cambridge Analytica scandal settlement stems from a whistleblower who revealed in 2018 that the company had “exploited Facebook to harvest millions of people’s profiles.” Facebook had found out about it three years earlier. Cambridge Analytica took this information to influence US voters for Donald Trump’s 2016 campaign and the Pro-Brexit campaign. The company was previously led by Steve Bannon, who recently served time in jail for his refusal to cooperate in the January 6 investigation.
The settlement should provide payment to an estimated 311,127 people. Eligible parties must have had a Facebook account from November 2015 to December 2015, spent more than 30 days in Australia during that period and personally or had a Facebook friend who installed the This is Your Digital Life app. Meta previously agreed to pay $725 million to users in the US.
Update, December 17 2024, 10:19AM ET: This article has been updated to include a statement from a Meta spokesperson.