The Irish Data Protection Authority (DPC) published its ruling on 17 December following two investigations into Meta Platforms Ireland Limited (MPIL). The investigations were launched in 2018 following a security breach affecting 29 million Facebook users, including three million users in Europe.

The breach was caused by the illegal use of user tokens by third parties, which gave them access to personal data such as names, e-mail addresses, telephone numbers, birth dates, location data, wall entries and religious beliefs.

The DPC fined Meta a total of 251 million euros for breach of the general data protection rules.

This ruling underlines the responsibility of companies to ensure the security of personal data, including the inherent and default protection of personal data in the design of their systems.

See the DPC's press release for more details here (in English).