Ireland’s Data Protection Commission (DPC) has issued Meta with a €265m ($275m) fine and a “range of corrective measures” under GDPR relating to a large-scale data breach that was uncovered in 2021.
The decision follows an inquiry investigating data processing carried out by Meta using Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools between May 25, 2018, and September 2019.
The inquiry was initiated after it was revealed that the personal details of 533 million Facebook users were leaked on a hacking website in April 2021. The dataset included phone numbers, locations, birthdates, Facebook IDs, full names and email addresses of users of the platform from 2018 to 2019. Meta said the data was accessed through a vulnerability that it fixed in 2019.
However, during the period in question, the Irish DPC concluded that Meta had failed to comply with the Article 25 of GDPR, relating to the obligation for Data Protection by Design and Default.
The DPC stated: “The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring Meta Platforms Ireland Limited (MPIL) to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265m on MPIL.”
The regulatory body added that the inquiry was carried out in cooperation with the other data protection supervisory authorities within the EU, all of which agreed with the decision.
The decision follows several other heavy fines recently issued by Ireland’s DPC against Meta. These include a €405m ($420m) penalty against Instagram in September 2022 for the firm’s handling of children’s data and a €17m ($18m) fine following an investigation into 12 data breach notifications in March 2022.
The fine represents the third highest issued under the GDPR, following a €746m ($740.8m) penalty dropped against Amazon in July 2021 and the aforementioned €405m fine against Meta earlier in 2022.
Cracking Down on Violations
Speaking to Infosecurity, Jonathan Armstrong, partner at Cordery Compliance, noted that the penalty issued is consistent with an increasingly tougher approach being taken by data protection authorities in respect of GDPR violations.
“I don’t think it is a surprise and GDPR fines are generally becoming more significant. By my maths this new decision puts GDPR fines to date above €2bn ($2.7bn) and it’s at a roughly similar level to a previous Meta fine,” Armstrong noted. “The decision will have been made in close consultation with other EU Data Protection Authorities (DPAs) – there is a process managed by the EDPB to allow other DPAs to comment on any draft decision and they can also suggest what they think the right level of fine is.”
Armstrong said it is important to note that in addition to the fine, the DPC has also imposed an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
“These remedial measures could be more costly than the fine, for example it could involve and order that Meta remove some categories of data from its systems,” he commented.
Newstalk reporter Jess Kelly tweeted a statement made by an unidentified Meta spokesperson in response to the decision. It read: “Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish DPC on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.
“Unauthorized data scraping is unacceptable and against our rules and we continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Armstrong said he expects Meta to appeal the decision “and that will join a fairly long queue of appeals against DPC decisions.” He added: “We’d predicted prior to GDPR coming in that many of the larger fines would be appealed and that prediction is certainly coming true.”
However, Chris McLellan, director of Operations at the non-profit body the Data Collaboration Alliance, argued that punishments of this nature will not solve data protection issues.
“The way apps manage data is the real problem in establishing the level of control necessary for enforcing outcomes like those outlined in GDPR and California's CCPA. Sensitive and other information is fragmented into databases, which then get copied at scale through a process known as data integration. This is at complete odds with the global movement towards increased data privacy and data protection.
“Bottom line: If we want to get serious about data protection and data privacy, we need to think seriously about changing the way that we build apps.”
McLellan added: “Until then, the endless parade of fines and regulatory show trials – or any attempt to mitigate the underlying chaos that defines the current state of personal information – are doomed to fail.”