They seem to be hammering home the point that the passwords were always stored on ‘secure encrypted infrastructure’ but the data was not hashed, so anyone with access to googles ‘secure encrypted infrastructure’ could read the data.
The encryption is most likely enough to be within GDPR compliance.
>The encryption is most likely enough to be within GDPR compliance. //
Why do you think that, allowing staff to read plaintext passwords is contrary to standard security practice; companies are expected to make reasonable effort to secure PII and allowing staff to read your password doesn't appear to be "reasonable effort" by even the casualist of readings.
I don't think the EU courts are that stupid.
FWIW I don't think there is a case here particularly, as it appears to be a genuine error and being fixed.
The encryption is most likely enough to be within GDPR compliance.