This breach compromised sensitive personal information, including details about users’ identities, locations, and personal preferences.

The Data Breach: What Happened?

In September 2018, Meta reported the incident to the Irish regulator, revealing that attackers had exploited vulnerabilities in Facebook’s “View As” feature, which lets users preview their profiles as others see them. 

Using automated scripts, unauthorised individuals were able to manipulate user tokens, gaining access to accounts and sensitive data. 

The breach exposed personal information such as full names, email addresses, phone numbers, locations, workplaces, dates of birth, religious affiliations, and posts. Particularly troubling was the exposure of children’s data.

While Meta quickly resolved the issue, the DPC’s investigation found gaps in how the company documented and responded to the breach under the EU’s General Data Protection Regulation (GDPR).

The DPC identified multiple GDPR violations and issued reprimands alongside the financial penalty. Two specific infringements stood out:

1. Breach Notification Failures: Meta failed to provide complete details in its breach notification, as required by GDPR Article 33(3). This led to an €8 million fine. The company also neglected to document the incident thoroughly, resulting in an additional €3 million penalty.
2. Inadequate System Design: Under GDPR Article 25(1) and 25(2), Meta was found to have overlooked data protection principles during the design of its systems, leaving users vulnerable. This oversight resulted in €130 million and €110 million fines, respectively.

Graham Doyle, deputy commissioner of the DPC, stressed the risks caused by such breaches, noting that Facebook profiles often contain sensitive information such as political views, religious beliefs, and sexual orientation. The exposure of these details could lead to significant misuse, affecting individuals’ privacy and safety.

This penalty is added to current enforcement against Meta by European regulators. Since GDPR’s introduction in 2018, Meta has faced nearly €3 billion in fines, including a record €1.2 billion penalty in 2023. The company has revealed its intention to appeal the latest ruling.

While this fine points to Europe’s focus on protecting personal data, similar investigations is growing in other regions. 

In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and Nigeria Data Protection Commission (NDPC) jointly fined Meta $220 million for privacy violations and abuse of dominance. 

These findings accused the company of unauthorised data transfers, cross-border storage without compliance, and discriminatory practices.

The platform began processing user data without seeking permission, leading to a fresh wave of privacy complaints across multiple European countries.

The issue came to light when a vigilant user noticed a new setting that revealed X had quietly started using post data from EU users for its Grok AI chatbot. This discovery drew immediate concern from the Irish Data Protection Commission (DPC), the main body responsible for overseeing X’s compliance with the General Data Protection Regulation (GDPR).

The Irish DPC quickly initiated legal proceedings against X, aiming to halt the processing of unauthorised data. However, privacy advocates, including the non-profit organisation noyb, have condemned the DPC’s response as insufficient. 

Noyb, led by privacy activist Max Schrems, has lodged complaints in nine countries, arguing that X’s actions violate several GDPR provisions. These complaints focus on the lack of transparency and consent in X’s data handling practices.

This situation has brought back the issue of personal data protection in the EU. Under the GDPR, companies are required to have a valid legal basis for processing personal data, typically through user consent. However, X has attempted to justify its actions under the “legitimate interest” clause — a defence that has already been dismissed by the European Court of Justice in similar cases involving other tech giants.

Despite this, X continued its data processing until early August 2024, without adequately informing users or offering them a chance to opt out. A setting allowing users to block data processing was only added in late July, long after the data had been ingested into the AI system.

Max Schrems and other privacy advocates are calling for more strict enforcement of GDPR regulations, noting that companies must obtain consent before using personal data for AI training or any other purposes. They argue that the current situation brings out the need for stronger oversight to prevent companies from bypassing user rights.