The European Union’s privacy regulator has hit social media giant Meta with a fine of 91 million euros ($101.6 million) after it was revealed that the company inadvertently stored some users’ passwords without proper encryption or protection. This inquiry, initiated five years ago, began when Meta informed Ireland’s Data Protection Commission (DPC) that it had stored certain passwords in ‘plaintext.’ At the time, Meta publicly acknowledged the issue, and the DPC confirmed that these unprotected passwords were not exposed to any external parties.
Commenting on the matter, Irish DPC Deputy Commissioner Graham Doyle emphasised that storing user passwords in plaintext is widely considered a serious security lapse due to the risks of abuse if unauthorised individuals gain access to the data. A Meta spokesperson explained that the company took swift action to resolve the error after discovering it during a security audit in 2019. According to Meta, there is no evidence that any of the unprotected passwords were accessed or misused.
Meta reportedly cooperated fully with the DPC throughout the investigation. The Irish DPC serves as the primary EU regulatory body for most major U.S. tech companies, as many have their European headquarters in Ireland. To date, Meta has been fined a total of 2.5 billion euros for various violations under the General Data Protection Regulation (GDPR), which was enacted in 2018. This includes a record-setting 1.2 billion euro fine in 2023, which Meta is currently appealing.
Meta Expresses Concerns Over GDPR
Several prominent technology companies, including Meta, Google, and Spotify, have expressed significant concerns over the European Union's (EU) data privacy regulations, particularly highlighting how these rules may hinder the progress of technological developments. In a recently issued open letter, these tech giants, along with researchers and various industry organisations, cautioned that Europe risks lagging behind in the fast-evolving landscape.
They attribute this potential setback to what they describe as inconsistent and unpredictable regulatory actions across the region. Specifically, the letter takes aim at recent amendments to the General Data Protection Regulation (GDPR), originally enacted in 2018. The signatories argue that the current framework creates confusion about the permissible use of data, which in turn is stifling innovation and limiting the competitiveness of several European companies.