META FINED 91 MILLION EURO FOR VIOLATING DATA PROTECTIONS LAW
Data Protection: series 6
On 26th September 2024, the Irish Data Protection Commission fined Meta Platforms Ireland Limited €91 million for violating Ireland data protection laws. This comes few days after their competitor Meta platform, inc (formerly facebook) and WhatsApp LLC being fined $220 million by the Nigeria Data Protection Commission and Federal Competition and Consumer Protection Commission for violating Nigeria’s Data Protection and Consumer protection laws.
In a decision issued by the Ireland’s Commissioners for Data Protection, Meta Platforms Ireland Limited was faulted for the following violations of the GDPR:
- Failure to notify the Data Protection Commission of a personal data breach concerning storage of user passwords in plaintext contrary to the provisions of Article 33(1) of the GDPR;
- Failure to document personal data breaches concerning the storage of user passwords in plaintext contrary to the provisions of Article 33(5) of the GDPR;
- Failure to use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing contrary to the provisions of Article 5(1)(f) of the GDPR; and
- Failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and ability to ensure the ongoing confidentiality of user passwords as required under Article 32(1) of the GDPR.
Even as the Irish Data Protection Commission is expected to publish the full decision, the Deputy Commissioner at the commission commented on the subject and had this to say:
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
This decision underscores the importance of organizations complying with data protection laws especially when it comes to incorporating technical and organizations security measures to protect personal data they process.
In Kenya, it is a mandatory requirement under section 41 of the Data Protection Act, 2019 for all entities processing personal data to deploy both technical and organizational security safeguard measures in their organizations to ensure security of personal data being processed.
At A.O.Wanga Advocates we are happy to advise and assist your organization in complying with the Data Protection Law.
For assistance contact us at info@aowangaadvocates.com or +254794600191
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com