Ireland's Data Protection Commission (DPC) has imposed a fine of €91 million on Meta Platforms Ireland for breaching data protection regulations by inadvertently storing user passwords without proper security measures.

The decision, announced on 27 September 2024, follows an investigation that began in April 2019 after Meta notified the DPC of the incident.

The inquiry focused on Meta's compliance with the General Data Protection Regulation (GDPR), particularly regarding the implementation of appropriate security measures for password processing and adherence to obligations for documenting and reporting personal data breaches.

Deputy commissioner at the DPC, Graham Doyle, emphasised the gravity of the situation, stating, "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

The DPC's decision outlined four specific GDPR infringements by Meta: failure to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext; failure to document personal data breaches related to the storage of user passwords in plaintext; lack of appropriate technical or organisational measures to ensure adequate security of users' passwords against unauthorised processing; and failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

In addition to the substantial fine, the DPC issued a reprimand to Meta as part of its corrective powers under the GDPR.

The incident came to light in March 2019 when Meta discovered it had inadvertently stored certain user passwords in 'plaintext' on its internal systems, meaning they were not protected by cryptographic measures or encryption. Meta publicly disclosed this information at the time, assuring users that the passwords were not accessible to external parties.

This decision underscores the importance of the GDPR principles of integrity and confidentiality. The regulation requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as risks to service users and the nature of the data processing.

The DPC's ruling also highlights the obligation for data controllers to properly document and promptly notify authorities of personal data breaches, as stipulated by Article 33 of the GDPR.

This latest fine brings the total amount levied against Meta by the DPC to €2.5 billion for GDPR breaches since its introduction in 2018. The Irish regulator serves as the lead EU privacy watchdog for many major US technology companies due to their European operations being based in Ireland.

Meta has not yet commented on whether it intends to appeal the decision. The full text of the DPC's decision is expected to be published in the coming days, providing further details on the case and its implications for data protection practices in the tech industry.

---