Meta has been hit by nearly EUR1bn of fines from the Irish data watchdog for privacy violations.
Meta was fined EUR265m by Ireland’s data watchdog following a data breach which affected millions of Facebook users.
After a hacking forum revealed a large database of 533m Facebook users, the Data Protection Commission (DPC ) began an inquiry into Meta in April 2021. The data scraped included phone numbers, Facebook IDs names, birthdates, and email addresses.
The DPC stated at the time that it believed that one or more provisions of the GDPR and 2018 Data Protection Act could be infringed with regard to Facebook users’ personal information.
An investigation was launched to see if the social media giant had met its obligations regarding the processing of personal user data via the Facebook Messenger, Instagram and Instagram contact importer functions.
“The material issues in the inquiry concern questions of compliance to the GDPR obligation data protection by default and design,” said the DPC in a statement issued today (28/11).
It discovered that the company had violated Articles of GDPR. These articles require that appropriate technical and organizational measures be taken to protect data and that personal data not be made available without consent of the individual.
Meta stated in a statement that they had made modifications to their systems during the period in question. This included removing the ability for phone numbers to scrape features. Unauthorized data scraping is against our rules and unacceptable.
This punishment brings the total fines that Meta has been subject to by the DPC to EUR1bn since September 2013. Meta was penalized EUR405m in September for allowing teenagers to set up Instagram accounts that publically displayed their email addresses. In March, Meta was fined EUR17m for additional GDPR violations. In September 2013, Meta’s WhatsApp was fined EUR225m for “severe” or “serious” GDPR violations.
The DPC sent a draft decision in the probe to other EU data authorities last week. Today, the Irish watchdog stated that all other supervisory authorities had accepted its decision.
The DPC stated in a statement that the authority had imposed a reprimand as well as a fine.
Meta spokesperson said that the company had made changes to its systems over the period in question. This included removing the ability for phone numbers to scrape features. We will continue to work with our peers to address this industry challenge. Unauthorized data-scraping is not acceptable and is against our rules.
Facebook can appeal against the decision to Irish courts. It stated that it was “reviewing the decision carefully.”