On Friday 27 September, Meta, the parent company of Facebook, Instagram and WhatsApp, was fined €91 million by the Irish Data Protection Commission (DPC), which acts on behalf of the European Union.
The Irish regulator declared that the American company has breached the European regulation on the protection of personal data (GDPR), in particular by failing to be transparent after a security breach affecting its users’ passwords.
According to the DPC’s press release, Meta “did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing”.
The regulator also found that Meta had breached GDPR rules by failing to report the security breach within the required timeframe, and had also failed to “properly document” the breach.
The investigation was launched in April 2019, after Meta notified the DPC that it had inadvertently stored some of its social network users’ passwords in ‘plain text’ on its internal servers (i.e. without cryptographic protection or encryption keys).
The fine imposed by the EU, which is relatively small in relation to Meta’s turnover of several tens of billions of dollars, is the latest in a long series of fines targeting the major media platforms and social networks.
Google recently had its €2.4 billion fine for abuse of a dominant position confirmed by the European Court of Justice (see EUROPE 13479/2). (Original version in French by Isalia Stieffatre)