Irish Data Protection Commission fines Meta Ireland 91 million 27092024 Data Protection Commission

p27th September 2024ppThe Data Protection Commission DPC has today announced its final decision following an inquiry into Meta Platforms Ireland Limited MPIL This inquiry was launched in April 2019 after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in plaintext on its internal systems ie without cryptographic protection or encryptionppThe DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EUEEA in June 2024 as required under Article 60 of the GDPR No objections to the draft decision were raised by the other authoritiesppThe decision which was made by the Commissioners for Data Protection Dr Des Hogan and Dale Sunderland and notified to MPIL yesterday September 26 includes a reprimand and a fine of 91millionppThe DPCs Decision records the following findings of infringement of the GDPRppDeputy Commissioner at the DPC Graham Doyle commented It is widely accepted that user passwords should not be stored in plaintext considering the risks of abuse that arise from persons accessing such data It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive as they would enable access to users social media accountsppThe DPC will publish the full Decision and further related information in due courseppBackgroundppIn March 2019 MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in plaintext on its internal systems ie without cryptographic protection or encryption MPIL also published information regarding this incident in March 20191 These passwords were not made available to external partiesppThe scope of the Inquiry which commenced in April 2019 assessed MPILs compliance with the General Data Protection Regulation GDPR and in particular whether MPIL implemented measures to ensure a level of security appropriate to the risks associated with the processing of passwords and whether MPIL complied with its obligations to document and notify the DPC of personal data breachesppThis Decision of the DPC concerns the GDPR principles of integrity and confidentiality The GDPR requires data controllers to implement appropriate security measures when processing personal data taking into account factors such as the risks to service users and the nature of the data processing In order to maintain security data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks This decision emphasises the need to take such measures when storing user passwordsppThe GDPR also requires data controllers to properly document personal data breaches and to notify data protection authorities of breaches that occur A personal data breach may if not addressed in an appropriate and timely manner result in damage such as loss of control over personal data Therefore when a controller becomes aware that a personal data breach has occurred the controller should notify the supervisory authority without undue delay in the manner prescribed by Article 33 GDPRppThe decision contains the following corrective powersppArticle 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authoritiespppp1Available at httpsaboutfbcomnews201903keepingpasswordssecurepp
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
pp
pp


ppWebsite Development by FUSIOp