Meta challenges €91m Data Protection Commission fine
Meta, which operates Facebook and Instagram, claims Ireland's Data Protection Commission failed to consider whether the fines were 'effective, proportionate and dissuasive', as required by the GDPR. File picture: Brian Lawless/PA
Mark Zuckerberg’s Meta wants the High Court to overturn a “wholly disproportionate” €91m penalty imposed on it by Ireland’s data protection regulator for improperly storing user passwords.
The fines, which were imposed last September under the General Data Protection Regulation (GDPR), relate to a 2019 incident where it was discovered the company had stored some user passwords in plaintext, which is an easily readable format, instead of applying encryption.
Meta, which operates Facebook and Instagram, claims Ireland's Data Protection Commission (DPC) failed to consider whether the fines totalling €91m were “effective, proportionate and dissuasive”, as required by the GDPR.
The principle of proportionality is a “fundamental principle” of EU law, but the €91m penalties are “excessive and go beyond what is required to be effective and dissuasive”, Meta says.
The company further claims that the commission acted in breach of fair procedures and due process by calculating the fine by reference to Meta’s global turnover without affording it full rights of defence.
Meta is asking the High Court to quash the DPC’s September 2024 decision and accompanying fines totalling €91m. It also seeks a court declaration that sections of the Irish Data Protections Act are unconstitutional and incompatible with the State’s obligations under the European Convention on Human Rights.
Also among the company’s claims is that the DPC “misinterpreted and misapplied” an article of the GDPR that defines a “personal data breach” and wrongly concluded that every plaintext password logged amounted to “personal data”.
Meta accepted some of the instances were personal data, but in many cases the plaintext passwords were not logged alongside identifying features, it says.
Meta claims the DPC incorrectly found there had been “unauthorised disclosure of, or access to, personal data”. There was, in fact, no disclosure or access to personal data in relation to the issue, the company says.
The case came before Ms Justice Mary Rose Gearty on Monday, when she made an order permitting Meta to pursue its claims via the court’s judicial review mechanism. She heard the application while only Meta was represented in court.
Meta’s lawyers said the company has also initiated a statutory appeal over the same September 2024 decision.
The fine is one of several imposed by the DPC on Meta.
The most significant was issued in May 2023, when the company was fined a record €1.2bn for violating European privacy rules, following a long investigation into transfers by Facebook of Europeans’ personal data to the US. This decision is the subject of a High Court challenge by Meta.
Last December, the regulator handed down a €251m fine following a data breach, affecting 29m Facebook accounts globally, that was reported by Meta in September 2018.
A €265m penalty was given in 2022 over a “collated” set of Facebook personal data that had been uploaded onto an online forum.
Read More
CONNECT WITH US TODAY
Be the first to know the latest news and updates
