If it seems like we’ve been here before – we have! Meta faces a €91 million fine from a familiar regulator – this time for faulty password storage.

As reported by Rob Robinson on ComplexDiscovery (Meta Faces €91 Million Fine Over Password Storage Lapse, available here), Meta Platforms, Inc. has been slapped with a €91 million ($101.5 million) fine by the Irish Data Protection Commission (DPC) following a comprehensive investigation into a significant security lapse. The fine, announced on Friday, marks yet another substantial penalty for the social media giant under the stringent data privacy regulations of the European Union (EU). This latest reprimand highlights ongoing concerns over Meta’s data handling practices and underscores the increasing scrutiny faced by major tech companies in Europe.

The investigation, launched in April 2019, revealed that Meta had inadvertently stored certain user passwords in ‘plaintext,’ meaning the passwords were not protected by any form of encryption. This lapse, which was discovered internally by Meta, involved passwords for a subset of Facebook users, which were temporarily logged in a readable format. Despite Meta’s assertion that there is no evidence these passwords were accessed improperly or abused, the regulatory body deemed the storage method as a serious risk.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” remarked Graham Doyle, Deputy Commissioner of the DPC. He emphasized the universally recognized need for robust encryption to safeguard user information, critiquing Meta’s failure to adhere to these essential security measures.

While Meta stated: “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry”, they were fined yet again by the Irish DPC.

To date, the DPC has imposed fines totaling over €2.6 billion ($2.9 billion) on Meta for various breaches under the EU’s General Data Protection Regulation (GDPR). That includes this $277 million fine for a leak of data for half a billion users, this fine of €405 million for mishandling teenagers’ personal information, and this record $1.3 billion fine for sending data about European Union users to the United States.

While $101.5 million is considerably lower than the other fines, it shows that the Irish DPC still has their eyes on Meta. Considering that this investigation was launched over five years ago, who knows what additional investigations and potential fines yet loom. Meta faces a €91 million fine, but there may be more to come – again – from the Irish DPC.

So, what do you think? Are you surprised that Meta is receiving so many large fines from a single Data Protection Commission? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.