The Irish Data Protection Commission (DPC) announced on Friday that it is fining Meta Platforms Ireland Limited (MPIL) 91 million euros over improper password storage. The decision by Commissioners Des Hogan and Dale Sunderland follows an inquiry into MPIL initiated in 2019.

In March 2019, Meta stated, “we found that some user passwords were being stored in a readable format within our internal data storage systems.” The DPC initiated an investigation into this event for possible issues regarding data privacy and data protection. In its initial announcement, Meta mentioned, “[o]ur investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Despite this, the DPC decided to reprimand and fine Meta. As Deputy Commissioner of the DPC Graham Doyle announced, “user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

The DPC assesses compliance with the EU’s General Data Protection Regulation (GDPR). In this case, the DPC found Meta Ireland violated several provisions of the regulation. There was a violation of Article 33, as Meta failed to document and notify the competent supervisory authority, the Irish DPC, of a breach of personal data. Moreover, MPIL did not take appropriate technical measures to ensure the protection of personal data from unlawful processing as stipulated in Article 5. Finally, the DPC found a breach of Article 32 since MPIL did not take appropriate measures to ensure an appropriate level of security. The DPC can issue a fine in accordance with Articles 58 and 83 of the regulation.

This is not the first time a body of the EU fined Meta for not maintaining European standards of data protection. In March 2022, the Irish DPC fined Meta €17 million after 30 million users had been affected by several data breaches. In May 2023, the Irish DPC issued a record €1.2 billion fine against Meta for violations of the GDPR.

The DPC has yet to publish its complete decision in this case.