The Data Protection Commission (DPC) of Ireland announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL) on 27 September 2024. This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).
The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities.
The decision, which was made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, and notified to MPIL on 26 September 2024, includes a reprimand and a fine of EUR 91 million.
The DPC’s Decision records the following findings of infringement of the GDPR:
- Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
- Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
- Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
- Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
Deputy Commissioner at the DPC, Graham Doyle commented “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption). MPIL also published information regarding this incident in March 2019. These passwords were not made available to external parties.
The scope of the Inquiry, which commenced in April 2019, assessed MPIL’s compliance with the General Data Protection Regulation (GDPR), and in particular, whether MPIL implemented measures to ensure a level of security appropriate to the risks associated with the processing of passwords, and whether MPIL complied with its obligations to document, and notify the DPC of, personal data breaches.
This Decision of the DPC concerns the GDPR principles of integrity and confidentiality. The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing. In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks. This decision emphasises the need to take such measures when storing user passwords.
The GDPR also requires data controllers to properly document personal data breaches, and to notify data protection authorities of breaches that occur. A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data. Therefore, when a controller becomes aware that a personal data breach has occurred, the controller should notify the supervisory authority without undue delay, in the manner prescribed by Article 33 GDPR.
The decision contains the following corrective powers:
- A reprimand pursuant to Article 58(2)(b) GDPR; and
- Administrative fines totalling EUR 91 million pursuant to Articles 58(2)(i) and 83 GDPR.
Article 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authorities.