Ireland’s Data Protection Commission (DPC) on Friday announced its final decision in an inquiry launched in April 2019.

The inquiry was launched after Meta Platforms Ireland Limited (MPIL) notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, i.e. without the typical cryptographic protection or encryption.

The DPC submitted a draft decision to the other concerned supervisory authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities.

The decision, which was made by data protection commissioners Dr Des Hogan and Dale Sunderland and notified to MPIL on 26 26, includes a reprimand and a fine of €91 million.

The DPC’s decision records the following findings of infringement of the GDPR:

•  Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
• Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
• Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
• Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

Graham Doyle, deputy commissioner at the DPC, said: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.

“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

The DPC will publish the full decision and further related information in due course.