The Irish Data Protection Commission (DPC) has imposed a €251m ($263.5m) fine on Meta Platforms Ireland (MPIL) following a data breach investigation.

The DPC announced its final decisions after conducting two inquiries into Meta.

These own-volition inquiries were initiated by the DPC following a personal data breach reported by Meta in September 2018.

This data breach affected approximately 29 million Facebook accounts globally, with around three million based in the EU/EEA, according to the DPC.

The personal data categories impacted included users’ full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, group memberships, and children’s personal data.

The breach occurred due to unauthorised third parties exploiting user tokens on the Facebook platform.

MPIL and its US parent company remedied the breach shortly after its discovery.

DPC deputy commissioner Graham Doyle said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

In November 2024, India’s competition watchdog Competition Commission of India (CCI) imposed a $25.4m (Rs2.13bn) fine on Meta for “abusing its dominant position”.

The watchdog also directed WhatsApp to halt sharing user data with other Meta-owned applications for non-service purposes for five years.