The Irish Data Protection Commission (“DPC”) recently imposed a €91 million fine on Meta Platforms Ireland Limited (“MPIL”), having found that it violated a number of provisions of the GDPR.
The decision is noteworthy, as the DPC adopted a broad interpretation of what constitutes a “personal data breach” under Article 4(12) GDPR. In particular, the DPC found that MPIL’s inadvertent storage of user passwords in plaintext on its internal systems constituted a “personal data breach”, in circumstances where such storage was in breach of MPIL’s internal security policies (which require such passwords to be stored in encrypted format), and the plaintext passwords could have been accessed by MPIL employees. This essentially means that a breach of security, combined with potential access to personal data by unauthorised employees, may constitute a “personal data breach” under the GDPR. The DPC’s decision is being appealed by MPIL, on the grounds, inter alia, that the DPC misinterpreted the GDPR definition of what constitutes a “personal data breach”.
In addition to finding that the inadvertent storing of users’ passwords in plaintext constituted a “personal data breach”, the DPC found that MPIL had failed to comply with the requirements of Articles 5(1)(f) and 32(1) GDPR. This was due to the fact that MIPL had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks of the processing. The DPC further found that the failure by MPIL to notify the personal data breach within the 72 hour statutory timeframe, and the failure to internally document two separate personal data breaches, constituted breaches of Article 33(1) and Article 33(5) GDPR, respectively.
Background
MPIL uses cryptographic and encryption techniques when storing social media users’ passwords, but does not store the individual characters that make up a password. On 21 March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ form on its internal systems. On 24 April 2019, the DPC commenced an own-volition inquiry into this issue.
Specifically, following an internal security review, MPIL became aware on 7 January 2019 that it had accidentally stored certain Facebook Lite user passwords in plaintext in internal error logs as a result of data logging operations. On 31 January 2019, a second incident of plaintext passwords logging was discovered, that was of a much larger scale. MPIL stated that this plaintext storage arose as a result of internal changes in code implemented in November-December 2018.
On becoming aware of these incidents in 2019, MPIL formed the view that in both cases the inadvertent logging of plaintext passwords did not constitute a “personal data breach” within the meaning of Article 4(12) GDPR.
DPC Decision
The inquiry and decision addressed the following four issues:
- whether the storage and availability of the user passwords in plaintext (as discovered on 7 January and 31 January 2019) constituted a “personal data breach” under Article 4(12) GDPR;
- whether MPIL complied with its obligations as a controller under Article 33(1) GDPR to notify a personal data breach to the DPC without undue delay, and where feasible, not later than 72 hours;
- whether MPIL complied with its obligations as a controller under Article 33(5) GDPR to document a personal data breach; and
- whether MPIL complied with the integrity and confidentiality principle under Article 5(1)(f) GDPR, and its security obligations under Article 32(1) GDPR to ensure a level of security appropriate to the risk of processing user passwords.
Issue 1: Whether a “personal data breach” under Article 4(12) GDPR occurred
Article 4(12) defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
For the purposes of its assessment as to whether there had been a personal data breach, the DPC first considered whether plaintext passwords constitute “personal data” under the GDPR. The DPC found that a password stored in plaintext on a MPIL database constituted “personal data”, as it was information relating to an identified or identifiable natural person.
“Breach of Security”
The DPC found that a “breach of security” had occurred, as the unintentional storing of the passwords in plaintext had made these passwords available to MPIL staff in a way that could have resulted in the linking of user accounts with unencrypted passwords. In addition, the plaintext passwords were logged in breach of MPIL’s security policy that passwords should be hashed, salted and encrypted, and contrary to recognised industry security standards.
“Unauthorised disclosure of, or access to” personal data
In determining whether there had been a “personal data breach”, the DPC considered whether the breach of security had led to an “unauthorised disclosure of, or access to” personal data.
The DPC noted that the concept of “unauthorised disclosure of, or access to” personal data is not limited to circumstances where there is exfiltration or exposure of personal data to personal or entities that are external to a data controller. Nor does it require unauthorised disclosure “to an identifiable individual or entity”. Rather it is concerned with whether or not there has been a loss of confidentiality of personal data. The DPC therefore found that the fact that the plaintext passwords were available to, and could be accessed by, unauthorised MPIL employees, meant that the passwords were not stored confidentially, amounting to an instance of “unauthorised disclosure of, or access to, personal data” for the purposes of Article 4(12) GDPR.
“Accidental or unlawful loss of personal data”
Finally, the DPC considered whether there had been an “accidental or unlawful loss of personal data” within the meaning of Article 4(12) GDPR. The DPC found that such a “loss” arose, in circumstances where the controller had lost control of personal data in the context of its own internal processing operations, and where it was unaware that the plaintext user passwords were being stored in that manner until discovery in January 2019
Conclusion
The DPC therefore found that each of the incidents of plaintext password storage constituted a “personal data breach” within the meaning of Article 4(12) GDPR.
Issue 2: Whether MPIL complied with its reporting obligations under Article 33(1) GDPR
Article 33(1) GDPR requires a data controller to notify a “personal data breach” to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a “risk” to the rights and freedoms of natural persons.
The DPC noted that when MPIL informed the DPC of its discoveries of 7 January and 31 January 2019 in its email of 21 March 2019, MPIL expressly affirmed that it was not a personal data breach notification, as the incidents did not constitute “personal data breaches” under Article 4(12) GDPR, and were unlikely to result in a risk to affected individuals. In particular, it is noteworthy that the passwords were only potentially accessible by MPIL employees who were bound by confidentiality agreements, and the investigation did not identify evidence of any employee accessing the data or failing to respect its confidentiality.
In assessing the risks to individuals, the DPC considered that the personal data breach concerned personal data that was of a sensitive nature; could possibly be matched to the accounts of individual users of Facebook lite; involved a large number of data subjects; carried potentially severe risks in terms of loss of confidentiality of personal data; and potential identity theft. As a result, the DPC found that the personal data breach was a reportable one under Article 33(1) GDPR.
Conclusion
The DPC therefore found that MPIL had infringed Article 33(1) GDPR by failing to notify a personal data breach without undue delay and within 72 hours of the discovery.
Issue 3: Whether MPIL complied with its obligations under Article 33(5) GDPR
Article 33(5) GDPR requires a data controller to “document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”
MPIL had not documented either incident on the basis of its assessment that neither incident constituted a “personal data breach” under the GDPR.
Conclusion
The DPC found that MPIL had infringed Article 33(5) GDPR by failing to document the personal data breaches. The DPC emphasised the importance of compliance with Article 33(5), noting that it allows supervisory authorities to examine a controller’s understanding of a personal data breach, at the time of discovery, and avoids the risk of a controller retrospectively seeking to justify its decision not to report a breach, where such justification may not have existed at the time of discovering the incident.
Issue 4: Whether MPIL complied with Article 5(1)(f) and Article 32 GDPR regarding the security of processing of personal data
Article 5(1)(f) GDPR outlines the principle of ‘integrity and confidentiality’, which provides that personal data must be processed in a manner that ensures appropriate security of the personal data. The principle is closely related to the requirement in Article 32 GDPR for controllers to implement appropriate technical and organisational measures to ensure a level of security for personal data appropriate to the risks of processing that data.
The DPC noted that MPIL had implemented a ‘sanitisation framework’ to prevent the storage of plaintext passwords on its systems. However, prior to 31 January 2019, the sanitisation framework was not directly applied to the Facebook Lite server.
The DPC found that the absence of a sanitisation framework applicable to data logged from the Facebook Lite server prior to the discovery of the plaintext password logging in January 2019 was indicative of a serious and systemic failure by MPIL to ensure that appropriate security measures were applied to the processing.
Conclusion
MPIL was found to have infringed Article 5(1)(f) and Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure appropriate security of personal data.
Corrective Measures
Taking into account the nature of the infringements of the GDPR by MPIL, and the need for the administrative fine to be ‘effective, proportionate and dissuasive’ in accordance with Article 83(1) GDPR, the DPC imposed total administrative fines of €91 million on MPIL.
Commentary
This is an interesting decision, and one worth reading in full. The decision shows the DPC adopting a broad interpretation of the definition of a “personal data breach” under Article 4(12) GDPR. The DPC essentially found that a breach of security combined with, potential access by unauthorised staff, and/or a loss of control of personal data constitutes a “personal data breach”.
In addition, the decision serves as a warning that a personal data breach may meet the threshold for notifying the DPC under Article 33(1) GDPR, even in circumstances where the personal data at issue is only accessible internally to trusted (albeit unauthorised) employees who are bound by confidentiality agreements. In this case, the DPC found that the personal data breach carried potentially “severe risks” to data subjects, despite the MPIL employees being bound by confidentiality agreements. This was due to the fact, inter alia, that the breach impacted a large number of individuals, the sensitive nature of the data at issue (i.e. user passwords), and the risk of identity theft and fraud.
In light of this decision, it is crucial that businesses undertake a detailed examination of internal security incidents, to determine if a “personal data breach”, as defined in Article 4(12) GDPR, has occurred, and whether the breach is reportable to the DPC and/or data subjects under Article 33 and 34 GDPR. In addition, it is vital that businesses document each personal data breach, whether or not it is reportable, in accordance with their obligations under Article 33(5) GDPR.
Contact us
For more information, please contact Davinia Brennan, or any member of our Technology and Innovation Group or your usual Matheson contact.