The EU's data privacy watchdog on Tuesday slapped Facebook parent Meta with a $263 million fine for a 2018 breach that exposed millions of global users' personal information.
The data breach impacted 29 million Facebook users, including 3 million in the EU alone. Personal data impacted included users' full names, email addresses, phone numbers, locations, places of work, dates of birth, and children's personal data, along with other data.
"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," DPC Deputy Commissioner Graham Doyle said in a statement.
He added, "Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data."
The DPC's two final decisions found that Meta violated the EU's General Data Protection Regulation (GDPR) rules by underreporting information in its initial disclosure, failing to document facts relating to the breach, failing to ensure data protection during the design of processing systems, and failing to ensure only personal data necessary for specific purposes was processed.
Related:CFPB Presses Forward with Rule to Wrangle Data Brokers
Facebook has a long history of legal troubles concerning data privacy.
Since 2007, the company has had multiple breaches and privacy incidents.
The Federal Trade Commission (FTC) in 2019 fined Meta $5 billion -- the agency's largest fine in its history -- after investigations over privacy concerns.
The company's biggest leak occurred in 2021, when over 530 million Facebook users' data was posted in an online hacking forum. In 2022, DPC fined Meta $278 million for that breach, and another $425 million for a separate breach relating to GDPR violations by Instagram.
In 2022, Meta agreed to a $725 million settlement for privacy violations related to the Cambridge Analytica scandal, which involved a political consulting firm exploiting a loophole in Facebook's API that exposed data on 87 million users.