Awareness Call for Data Controllers: Lessons from Meta’s €91 Million Fine

The recent €91 million fine imposed on Meta Platforms Ireland Limited (MPIL) by the Irish Data Protection Commission (DPC) for improper password storage is a stark reminder for data controllers/processors of the importance of prioritizing data protection. This landmark decision amplified the DPC’s commitment to enforcing the General Data Protection Regulation (GDPR) and highlighted the severe consequences of non-compliance.

The Meta Case and Its Implications

The Meta case began in 2019 when the company revealed that user passwords were stored in a readable format within its internal data storage systems. Although Meta claimed no internal abuse or improper access occurred, the DPC’s investigation uncovered significant violations of GDPR provisions. Specifically, the DPC found Meta Ireland guilty of failing to document and notify the competent supervisory authority of a breach, failing to take appropriate technical measures to protect personal data, and failing to ensure an appropriate level of security.

In Nigeria, Section 39 of the Nigeria Data Protection Act (NDPA) 2023 mandates data controller/processor to ensure the security, integrity, and confidentiality of personal data in its possession or under its control. The Meta case provides valuable lessons for Nigerian data controllers/processors on the importance of password storage security, transparency, accountability, and regular security audits and risk assessments.

Lessons for Nigerian Data Controllers

It is imperative that data controllers/processors in Nigeria take note of the DPC’s decision and review their data storage practices to ensure compliance with the NDPA. This includes implementing robust security measures, such as password hashing, salting, key stretching, and establishing incident response plans. Data controllers/processors must also provide data protection training to employees and ensure that data protection policies and procedures are clearly communicated.

The NDPA requires data controllers/processors to report data breaches to the NDPC within 72 hours of becoming aware of the breach. Failure to comply can result in significant fines and reputational damage. The Meta case highlights the importance of transparency and accountability in data protection.

Furthermore, the decision emphasizes the need for data controllers/processors to conduct regular security audits and risk assessments. The NDPA requires data controllers/processors to implement appropriate technical and organizational measures to ensure the security of personal data, and regular security audits and risk assessments are essential to achieving this.   

Conclusion

The DPC’s decision to fine Meta €91 million serves as a wake-up call to all data controllers/processors. The decision highlights the importance of password storage security, transparency, accountability, and regular security audits and risk assessments. Data controllers must prioritize data protection to maintain customer trust and avoid severe financial penalties.

The Nigerian data protection landscape is evolving, and data controllers must stay informed about emerging trends and regulatory requirements. The NDPA provides a framework for data protection in Nigeria, and data controllers must ensure compliance to avoid reputational damage and financial penalties.

In light of this decision, Nigerian data controllers/processors would be wise to conduct a thorough review of their data protection practices to ensure compliance with the NDPA. This includes reviewing data storage practices, implementing robust security measures, and establishing incident response plans. By prioritizing data protection, Nigerian data controllers can maintain customer trust and avoid severe financial penalties.