It has been almost five and a half years since the Irish Data Protection Commission (CPD) launched an investigation into Facebook, Inc., the conglomerate of social media companies we now know as Meta Platforms, Inc. The procedure took place shortly after it became known that Facebook and Instagram had stored millions of their users’ passwords in plain text, that is, in a format readable by company employees. Now, the body in charge of ensuring compliance with the General Data Protection Regulation (GDPR) has made known its final decision.
Fine of 91 million euros. Companies operating in the European Union must pay special attention to protecting users’ personal information. Making a mistake in this regard can cost you quite dearly. A clear example of this is what has just happened with Meta, which has received a fine of 91 million euros for violating the RGPD with the aforementioned security problem. The decision, made on September 26 by Data Protection Commissioners Dr Des Hogan and Dale Sunderland, comes with a formal warning to prevent future breaches of this type.
The notification controversy. The GDPR not only forces companies to properly treat their users’ data, but also requires regulators to be notified in the event of a security issue or breach. This is established in article 33, which states that notification must occur “without delay.” Meta notified CPD of the incident in March 2019 and also launched a scheme to inform affected users. The CPD, however, points out that Meta did not properly comply with this obligation. We will know all the details when the full report is published later.
For now, we know that the fine and sanction respond to the fact that the company led by Mark Zuckerberg did not properly notify the incident, did not correctly document what happened, did not use adequate security measures to protect passwords against “unauthorized processing.” ” and did not implement adequate measures to “ensure a level of security appropriate to the risk.” Commissioner Graham Doyle said: “It is well known that user passwords should not be stored in clear text, as this carries risks of someone accessing and misusing that information.”
Passwords did not leave Meta. Both the CPD and Meta agree on a very important point: the passwords were not exposed to third parties. That is, although they were stored in plain text for a certain period of time, no one outside the company could access them. There has also been no evidence that the passwords have been used inappropriately. The problem, according to the company, was resolved quickly. In addition, they promoted a series of additional security measures to reduce the use of passwords by users.
Why the Irish Data Protection Commission. The European Data Protection Committee (CEPD) is made up of around twenty members like the Spanish Data Protection Agency (AEPD). However, the CPD’s actions are relevant for several reasons. Firstly, Meta’s European headquarters, Meta Platforms Technologies Ireland Limited, is located in Ireland. Secondly, the CPD works together with its peers with the aim of ensuring compliance with the GDPR generally. A year ago, for example, the CPD fined TikTok 45 million euros.
Images | Goal (1, 2) | Christian Lue
In Xataka | The CNMC fines Booking with 413 million euros: the largest sanction in the history of Spain for abuse of a dominant position
Add Comment