Around 29 million Facebook accounts globally, including around three million based in the EU/EEA, were impacted by a data breach reported by Meta Platforms Ireland Limited (MPIL) in September 2018.

The personal data affected included full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, groups of which a user was a member, and children’s personal data.

The breach arose from the exploitation of unauthorised third parties of user tokens on the Facebook platform. The breach was remedied by MPIL and its US parent company shortly after its discovery.

The DPC launched two own-volition inquiries following the breach and has now issued final decisions.

The decisions, made by data protection commissioners Dr Des Hogan and Dale Sunderland, include a number of reprimands and an order to pay administrative fines totalling €251 million.

In the first decision, MPIL was found to have infringed Article 33(3) GDPR by failing to include in its breach information all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.

MPIL was also found to have infringed Article 33(5) GPDR by failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the supervisory authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.

In the second decision, Meta was found to have infringed Article 25(1) GDPR by failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.

MPIL was also found to have infringed Article 25(2) GDPR by failing in its obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

DPC deputy commissioner Graham Doyle said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.

“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”