Ireland: Issued Irish DPC EUR 91 million fine against Meta for storing social media passwords without cryptographic protection or encryption

On 27 September 2024, the Irish Data Protection Commission (DPC) announced its decision to fine Meta with EUR 91 million for storing passwords of social media users without cryptographic protection or encryption (in “plaintext”) on its internal systems. The decision follows an inquiry launched in April 2019 to assess Meta’s compliance with the GDPR’s obligations. In particular, the DPC has found that Meta failed to comply with its obligations to notify the DPC of a personal data breach concerning storage of user passwords in plaintext, to document personal data breaches concerning the storage of user passwords in plaintext, and to implement measures to ensure a level of security appropriate to the risks associated with the processing of passwords.