Meta, the parent company of Facebook, has been fined €251 million (approximately $263 million) by Ireland's Data Protection Commission (DPC) for a security breach that affected millions of users in 2018. The penalty, issued on Tuesday, is one of the largest fines imposed on the tech giant under the European Union's General Data Protection Regulation (GDPR).

The breach, which occurred in July 2017, was caused by a bug in Facebook's "View as" feature, which allowed users to see their own Facebook page as it would be seen by another user. The bug enabled users to exploit the feature and gain unauthorized access to other users' profiles and data. Between September 14 and September 28, 2018, unauthorized persons used scripts to exploit the vulnerability, gaining access to approximately 29 million Facebook accounts globally, including around 3 million based in the EU/European Economic Area.

The personal data impacted by the breach included full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which users were a member, and children's personal data. The broad scope of impacted data likely influenced the size of the fine.

The DPC issued two enforcement decisions on Tuesday, one covering Meta's breach notification and the other concerning the rules on data protection by design and default. In both cases, the DPC found Meta infringed the GDPR. The full sanction breaks down into €11 million for the breach notification and €240 million for violating GDPR principles of data protection by design.

DPC deputy commissioner Graham Doyle commented on the enforcement action, stating that it highlights the importance of building in data protection requirements throughout the design and development cycle. "Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances," Doyle said. "By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data."

Notably, no objections were raised to Ireland's draft decision by peer authorities, marking a departure from previous cases where the DPC's decisions were disputed by its peers. The regulator expressed gratitude for the cooperation and assistance of its peer EU/EEA supervisory authorities in the case.

Critics of the DPC under former commissioner Helen Dixon had accused the regulator of under-enforcing the GDPR on Meta and other tech giants. However, the latest enforcement decision suggests a shift in the regulator's approach, with the DPC taking a more assertive stance on data protection.

In response to the penalty, Meta spokeswoman Emily Westcott stated that the company took immediate action to fix the problem as soon as it was identified and proactively informed people impacted as well as the Irish Data Protection Commission. Westcott emphasized that Meta has a wide range of industry-leading measures in place to protect people across its platforms.

This is not the first time Meta has faced a significant fine from the DPC. In September, the company was fined €91 million in relation to a 2019 security breach in which hundreds of millions of users' passwords were stored in plaintext on its servers.

The €251 million fine is a reminder of the importance of robust data protection measures and the consequences of failing to prioritize user privacy. As the tech industry continues to grapple with the challenges of data protection, this enforcement action serves as a warning to companies to take their obligations under the GDPR seriously.