It’s a costly day for Meta. First, Australia announced a $50 million AUD ($31.7 million) settlement with the company over the Cambridge Analytica scandal, and now the Irish Data Protection Commission (IDPC) has fined Meta €251 million ($263 million). The IRDC fine stems from a personal data breach at Facebook in 2018.
Hackers exploited a “security vulnerability in Facebook’s code” related to the company’s “View As” feature, the company said at the time. It allowed them to obtain users’ access tokens and take control of those accounts. The bad actors were able to log into about 29 million global Facebook user accounts, including three million users in the European Union and European Economic Area. They were able to access information such as a user’s full name, email address, phone number, location, date of birth, religion, and children’s personal data.
The IDPC holds Meta accountable for failing to provide adequate data protection when designing its processing systems, for failing to process personal data only when specifically necessary and for failing to disclose all information relating to the breach.
“This enforcement action highlights how failing to build data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to individuals’ fundamental rights and freedoms,” said DPC Deputy Commissioner Graham Doyle. “By allowing unauthorized disclosure of profile information, the vulnerabilities underlying this breach created a significant risk of misuse of these types of data.”
Below, the Cambridge Analytica scandal settlement stems from a whistleblower who revealed in 2018 that the company had “exploited Facebook to harvest the profiles of millions of people.” Facebook had discovered this three years earlier. Cambridge Analytica had used this information to influence US voters for Donald Trump’s 2016 campaign and the pro-Brexit campaign. The company was previously led by Steve Bannon, who recently served time in prison for refusing to cooperate with the January 6 investigation.
The settlement is set to pay out to about 311,127 people. Eligible parties must have had a Facebook account between November 2015 and December 2015, have spent more than 30 days in Australia during that period and have personally or had a Facebook friend install the This is Your Digital Life app. Meta previously agreed to pay $725 million to users in the United States.
