EU Privacy Regulator Fines Meta 251 Million Euros for 2018 Data Breach

Meta has been fined 251 million euros ($263.5 million) by the Data Protection Commission (DPC), the lead European Union data privacy regulator, for a 2018 security breach that exposed the personal data of 29 million users on Facebook.

Details of the Breach

The breach occurred after cyber attackers exploited a vulnerability in Facebook’s “View As” feature, which allowed users to see how their profile appeared to others. This vulnerability led to the exposure of sensitive personal data, including users’ full names, contact details, location, place of work, date of birth, religion, gender, and in some cases, children’s personal information.

According to Graham Doyle, Deputy Commissioner at the DPC, the breach posed a significant risk for the misuse of this data. Although the breach affected 29 million accounts globally, 3 million of those were in the EU and the European Economic Area (EEA).

Meta’s Response and Penalty

Meta addressed the issue shortly after the breach was discovered and took action to remedy the vulnerability. Despite this, the DPC imposed a fine under the EU’s General Data Protection Regulation (GDPR), which has led to significant penalties for Meta in recent years. To date, Meta has been fined almost 3 billion euros for breaches under GDPR, including a record 1.2 billion euros fine in 2023 related to data privacy violations, which Meta is currently appealing.

Meta’s Appeal

Meta has announced its intention to appeal the fine and reiterated its commitment to protecting users’ privacy. A company spokesperson stated, “We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission.”

Broader Context

The DPC oversees the majority of large U.S. internet companies operating in the EU, as these firms have their European operations based in Ireland. This fine marks another chapter in the EU’s ongoing efforts to enforce data protection regulations under the GDPR, which was introduced in 2018 to strengthen privacy rights across the region.