Meta Fined €91 Million for Improper Password Storage

data protectioncyber securityNew Technologies
Written By Nathalie Pouderoux

Meta, the parent company of Facebook, has recently faced a significant fine of €91 million (£75 million) from the Irish Data Protection Commission (DPC) following an investigation into its handling of user passwords. This inquiry originated in April 2019 when Meta disclosed to the DPC that it had mistakenly stored certain user passwords in “plaintext” on its internal systems, without encryption.

The DPC's investigation identified four breaches of the General Data Protection Regulation (GDPR). In June 2024, the DPC submitted a draft decision to other European data protection authorities, which did not raise any objections. This led to the final decision being communicated to Meta on 26th September which includes a reprimand alongside the substantial fine.

This latest penalty is part of a broader pattern of fines levied against Meta for data mishandling. Just last year, the company was fined €1.2 billion (£1 billion) for improper data transfers between Europe and the United States, marking the largest penalty under the EU’s GDPR privacy law. Additionally, in 2022, Meta faced a €265 million (£220 million) fine after sensitive data from millions of users was leaked on a hacking forum.

9 Key Takeaways for Businesses

The DPC's ruling highlights the importance of implementing robust security measures for personal data and ensuring compliance with GDPR regulations. Here are some key takeaways:

1. Prioritise Data Security

Ensure that sensitive information, especially user passwords, is stored securely using encryption and other protective measures. Storing passwords in plaintext is unacceptable and poses significant risks.

2. Understand GDPR Compliance

Familiarise yourself with the General Data Protection Regulation (GDPR) requirements, particularly regarding data breach notification, documentation, and security measures. Non-compliance can lead to severe penalties.

3. Implement Robust Breach Notification Protocols

Establish clear procedures for identifying, documenting, and reporting data breaches to regulatory authorities promptly. Delays in reporting can exacerbate penalties and damage reputation.

4. Conduct Regular Security Audits

Regularly assess and audit your data protection practices to identify vulnerabilities. This proactive approach helps mitigate risks associated with data processing and enhances compliance.

5. Train Employees on Data Protection

Provide comprehensive training to employees about data security protocols and GDPR obligations. Awareness and education are critical to preventing inadvertent breaches.

6. Establish a Culture of Privacy

Foster an organisational culture that prioritises data privacy and protection. Leadership should emphasise the importance of safeguarding user information as a core business value.

7. Stay Updated on Regulatory Changes

Keep updated on any changes in data protection laws and regulations to ensure ongoing compliance. This includes being aware of how authorities interpret and enforce existing regulations.

8. Consider the Reputational Impact

Understand that fines and data breaches can severely impact your business's reputation. Prioritising data security not only protects you from penalties but also builds trust with your clients and customers.

9. Engage Legal and Compliance Experts

Work with legal and compliance professionals to ensure that your data protection strategies align with regulatory requirements. Their expertise can help navigate complex data protection landscapes.


By taking these steps, businesses can not only avoid hefty fines but also enhance their credibility and build stronger relationships with clients through responsible data management.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Previous

What Should I Do if There’s a Data Breach in My Company?
Next

Redefining Ownership: How the Digital Assets Bill Bridges the Gap Between Law and Technology