2024年12月17日,爱尔兰数据保护委员会(“DPC”)宣布了其对Facebook母公司Meta的处罚决定,对其处以总计2.51亿欧元罚款。
对Meta的调查是DPC在2018年9月报告的一起个人数据泄露事件后依职权启动的。此次数据泄露事件影响了全球约2900万个Facebook账户,其中约300万个账户位于欧盟/欧洲经济区。
用户受影响的个人数据类别包括:用户的全名、电子邮件地址、电话号码、位置、工作地点、出生日期、宗教、性别、时间线上的帖子、用户所加入的群组以及儿童的个人数据等。此次泄露事件的原因是未经授权的第三方非法利用Facebook平台上的用户令牌。
DPC在处罚决定中认定的违法行为包括:(1)未在其数据泄露通知中提供所有根据GDPR应提供的信息;(2)未能以便于监管机构核实合规性的方式记录每次数据泄露的情况及采取的补救措施(3)未能确保在数据处理系统的设计过程中落实数据保护原则(4)作为数据控制者,未能确保在默认情况下仅处理为特定目的所需的个人数据。
DPC对Meta的以上四项违法行为处以总计2.51亿元罚款。
The Irish Data Protection Commission (DPC) has today announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These own-volition inquiries were launched by the DPC following a personal data breach, which was reported by MPIL in September 2018.
This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens[1] on the Facebook platform. The breach was remedied by MPIL and its US parent company shortly after its discovery.
The decisions, which were made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million.
The DPC submitted a draft decision to the GDPR cooperation mechanism in Sept 2024, as required under Article 60 of the GDPR[2]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.
The DPC’s final decisions record the following findings of infringement of the GDPR:
Decision 1:
-
Article 33(3) GDPR
- By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
-
Article 33(5) GDPR
- By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
Decision 2:
-
Article 25(1) GDPR
- By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
-
Article 25(2)
- By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.
DPC Deputy Commissioner Graham Doyle commented:
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
