# Meta Penalized $101.8 Million for Keeping Facebook Passwords in Plaintext: An Examination of GDPR
In 2019, Facebook, now identified as Meta, came under intense scrutiny after it became known that the firm had retained approximately 600 million user passwords in an unencrypted format on its internal systems. Although there was no theft of these passwords, the possibility of Facebook employees having access to them raised critical questions regarding data protection. Fast forward to today, and the consequences of this lapse are still resonating, culminating in a substantial €91 million ($101.8 million) penalty issued by the Irish Data Protection Commission (DPC).
This penalty stems directly from Meta’s noncompliance with the European Union’s General Data Protection Regulation (GDPR), which outlines rigorous provisions for the management of user data. Let’s delve deeper into the specifics of the case, the breaches of GDPR, and the implications for Meta and other technology firms in the future.
## The Event: Keeping Passwords in Plaintext
In 2019, Facebook acknowledged that it had been managing millions of user passwords in an unencrypted format on its internal databases. This indicated that the passwords were not safeguarded by encryption, exposing them to potential unauthorized access from anyone with internal system privileges. Although Facebook asserted that these passwords were not exposed to external breaches, the ability for employees to access them raised enough alarm to prompt an investigation by the Irish Data Protection Commission (DPC).
The DPC, which is responsible for overseeing GDPR adherence for companies like Meta with European bases in Ireland, initiated an inquiry into the issue. The findings of this inquiry have now resulted in the fine and admonishment directed at Meta.
## The GDPR and Its Role in Data Security
The General Data Protection Regulation (GDPR) became effective in May 2018 and is regarded as one of the most far-reaching data protection laws globally. Its objective is to provide EU residents greater authority over their personal data and to ensure that companies managing such data do so with care.
According to the GDPR, businesses are required to:
– **Enact suitable security protocols** to safeguard user information.
– **Inform authorities within 72 hours** following a data breach.
– **Log data breaches** along with the measures taken to remedy them.
– **Empower users** regarding their data, including the right to access or delete it.
Noncompliance with these stipulations can incur hefty fines, as Meta has recently discovered.
## Meta’s Breaches of GDPR
The DPC determined that Meta (previously known as Facebook) had contravened several crucial articles of the GDPR in connection with the incident of plaintext password storage. Specifically, Meta was found in violation of the following:
1. **Article 33(1) GDPR**: Meta neglected to inform the DPC about a personal data breach concerning the storage of user passwords in plaintext.
2. **Article 33(5) GDPR**: Meta failed to adequately document the personal data breaches associated with the plaintext password storage.
3. **Article 5(1)(f) GDPR**: Meta did not apply appropriate technical or organizational measures to guarantee the security of users’ passwords, making them susceptible to unauthorized access.
4. **Article 32(1) GDPR**: Meta did not enforce sufficient security measures to protect the confidentiality of user passwords, a vital requirement under GDPR.
In a statement, DPC Deputy Commissioner Graham Doyle underscored the gravity of the situation, highlighting that “it is broadly acknowledged that user passwords should never be stored in plaintext, given the risks of misuse that arise from individuals accessing such information.” He also remarked that the passwords involved were particularly critical, as they granted access to users’ social media profiles.
## The Outcomes: A $101.8 Million Penalty
As a consequence of these transgressions, the DPC imposed a fine of €91 million ($101.8 million) on Meta. This penalty signifies a stark reminder of the serious repercussions that businesses encounter when they neglect to adhere to GDPR regulations. The penalty is accompanied by an official reprimand, further emphasizing the DPC’s dissatisfaction with Meta’s management of the circumstance.
Although Meta has since adopted more robust security measures, including the encryption of passwords, the fine acts as a clear reminder that companies must take proactive steps to protect user data. The GDPR is not merely about reacting to data breaches but about taking preventive measures through effective security practices.
## Implications for Meta and Other Tech Giants
The financial penalty against Meta is part of a broader trend of fines imposed on technology leaders under the GDPR framework. The regulation has profoundly transformed how companies manage user information, especially in Europe, where data privacy holds significant importance.
For Meta, this fine constitutes yet another challenge among a series of obstacles faced in recent times. Despite its transition from Facebook to Meta, the company continues to struggle with privacy and security dilemmas, many of which arise from its treatment of user data.
For other technology companies, this case serves as a warning. The GDPR is not merely a collection of regulations; it embodies vital principles that demand strict compliance.
