On December 17, 2024, the Irish Data Protection Commission (the “DPC”) announced that it had concluded two inquiries initiated following a personal data breach reported in 2018 affecting Meta Platforms Ireland Limited (“Meta Ireland”), resulting in the DPC issuing multiple administrative fines totaling €251 million (approx. $267 million) and several reprimands.

According to the DPC, the data breach impacted 3 million user accounts based in the EU/EEA and 29 million Facebook accounts globally. As a result of its inquiries, the DPC adopted two decisions in which it considered that Meta Ireland had infringed the following EU General Data Protection Regulation (“GDPR”) provisions:

• Article 33(3) related to the content of the notification to the supervisory authority in case of a personal data breach. The DPC considered that Meta Ireland did not include in its notification all of the information required by the GDPR.
• Article 33(5) regarding the obligation to adequately document personal data breaches.
• Articles 25(1) and (2) regarding data protection by design and by default. The DPC considered that Meta Ireland had failed to ensure that data protection principles were protected in the design of its processing systems and that, by default, only personal data that are necessary for specific purposes are processed.

Before being finalized by the DPC, this decision was submitted to the remaining concerned supervisory authorities in the EU under Article 60 of the GDPR. The remaining supervisory authorities did not raise any objections to the DPC’s decision. 

Read the press release (the full decisions are not yet available at time of writing).