Meta, the parent company of Facebook, has been fined 91m euros (£75m) by the Irish Data Protection Commission (DPC), following an investigation into the storage of passwords.

An inquiry was launched in April 2019 after Meta informed the DPC that it had accidentally stored certain passwords of social media users in its internal systems without encryption.

The DPC handed over the draft decision to fellow European data watchdogs back in June 2024.

No objections were raised by the other authorities.

Meta has been found to have four breaches of the General Data Protection Regulation (GDPR).

DPC deputy commissioner Graham Doyle said: "It is widely accepted that user passwords should not be stored in 'plaintext' considering the risks of abuse that arise from persons accessing such data.".

"It needs to be taken into account, that the passwords the subject of scrutiny in this instance are very sensitive, given that they would give access to users' social media accounts." he said.
The ruling, which was made by the commissioners for data protection, Dr Des Hogan and Dale Sunderland and served on Meta on 26 September involves a warning and penalty .
What's happened so far?
Meta was fined €1.2bn (£1bn) in May 2023 for mishandling data while transferring it between Europe and the United States.

That fine came from Ireland's DPC; it was the largest fine yet under the EU's GDPR privacy law.

In 2022, Meta was fined €265m (£220m) after data from 533m people in 106 countries was published on a hacking forum after being "scraped" from Facebook years earlier.