Meta takes High Court judicial review over €91m data protection fine

ireland
Meta Takes High Court Judicial Review Over €91M Data Protection Fine
Signage for Meta, © Copyright 2023 The Associated Press. All rights reserved
Share this article

Mark Zuckerberg’s Meta wants the High Court to overturn a “wholly disproportionate” €91 million penalty imposed on it by Ireland’s data protection regulator for improperly storing user passwords.

The fines, which were imposed last September under the General Data Protection Regulation (GDPR), relate to a 2019 incident where it was discovered the company had stored some user passwords in plaintext, which is an easily readable format, instead of applying encryption.

Advertisement

Meta, which operates Facebook and Instagram, claims the DPC failed to consider whether the fines totalling €91 million were “effective, proportionate and dissuasive”, as required by the GDPR.

The principle of proportionality is a “fundamental principle” of EU law, but the €91 million penalties are “excessive and go beyond what is required to be effective and dissuasive," Meta says.

The company further claims that the commission acted in breach of fair procedures and due process by calculating the fine by reference to Meta’s global turnover without affording it full rights of defence.

Meta is asking the High Court to quash the DPC’s September 2024 decision and accompanying fines totalling €91 million.

Advertisement

It also seeks a court declaration that sections of the Irish Data Protections Act are unconstitutional and incompatible with the State’s obligations under the European Convention on Human Rights.

Also among the company’s claims is that the DPC “misinterpreted and misapplied” an article of the GDPR that defines a “personal data breach” and wrongly concluded that every plaintext password logged amounted to “personal data”.

Meta accepted some of the instances were personal data, but in many cases the plaintext passwords were not logged alongside identifying features, it says.

Meta claims the DPC incorrectly found there had been “unauthorised disclosure of, or access to, personal data”. There was, in fact, no disclosure or access to personal data in relation to the issue, the company says.

Advertisement

The case came before Ms Justice Mary Rose Gearty on Monday, when she made an order permitting Meta to pursue its claims via the court’s judicial review mechanism. She heard the application while only Meta was represented in court.

Meta’s lawyers said the company has also initiated a statutory appeal over the same September 2024 decision.

The €93 million fine is one of several imposed by the DPC on Meta. The most significant was issued in May 2023, when the company was fined a record €1.2 billion for violating European privacy rules, following a long investigation into transfers by Facebook of Europeans’ personal data to the US. This decision is the subject of a High Court challenge by Meta.

Last December the regulator handed down a €251 million fine following a data breach, affecting 29 million Facebook accounts globally, that was reported by Meta in September 2018.

A €265 million penalty was given in 2022 over a “collated” set of Facebook personal data that had been uploaded onto an online forum.

Read More

Message submitting... Thank you for waiting.

Want us to email you top stories each lunch time?

Download our Apps