The Irish Data Protection Commission (DPC) has fined Meta €265m ($275m) for violating two articles of the EU’s General Data Protection Regulation (GDPR). The DPC launched an investigation on 14 April 2021 following media reports that a large dataset containing the personal data of Facebook users had been released on the public Internet. The data breach, which included mobile phone numbers and email addresses, occurred in 2019 and involved the personal data of more than 530 million Facebook users. The data had been scrapped from public profiles on the site. According to the DPC, a significant percentage of those users were EU citizens.
The investigation centered on Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools in relation to the data processing activities of Meta Platforms, with the DPC examining compliance with Article 25 of the GDPR, which is concerned with data protection by design and by default
The DPC determined that from May 25, 2018 – the effective date of the GDPR – until September 2019, Meta Platforms violated Articles 25(1) and 25(2). In addition to the sizable financial penalty, Meta Platforms was given a reprimand and was issued with an order requiring the company to take a range of remedial measures to bring its data processing into compliance within a specified timeframe. All supervisory agencies that cooperated with the DPC during the investigation were in agreement about the fine and penalty amount.
A spokesperson for Meta issued a statement about the DPC’s decision. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules.”
This is far from the only financial penalty to be imposed on Meta companies in the past two years. In total, Meta Platforms and its subsidiaries have been fined €912 million for infringements of the GDPR, which includes financial penalties for Meta Platforms (€17m), WhatsApp (€225m), and Instagram (€405m), with the latter for permitting teenagers to set up accounts on Instagram that displayed their phone numbers and email addresses.