Facebook parent Meta was fined by the Irish Data Protection Commission (DPC) €265 million fine on 28 November 2022, for the period of 2018 and 2019.
The Reasons for the €265 Million Fine
Facebook’s owner Meta has been fined €265 million by the Irish Data Protection Commission (DPC) for breaching European data protection law. The breach resulted in more than 500 million users' details being published online. The data was hacked and included names, Facebook IDs, mobile phone numbers, real addresses, birth dates, and email addresses of people from more than 100 countries. The Irish watchdog said a “significant” number of these users were from the EU.
Details of Facebook users were scraped from public profiles in 2018 and 2019. According to Meta, the data had been scraped from the Facebook platform using tools designed to find friends through phone numbers using search and contact import features.
An inquiry for the Meta investigation was opened by the Irish DPC on April 14, 2021, following media reports.
The DPC confirmed that the decision is based on the infringement of Articles 25(1) and 25(2) of the General Data Protection Regulation (GDPR). These articles deal with data protection by design and default.
In addition to the fine, the DPC also imposed various corrective measures. The Irish watchdog requires Meta to “bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe”.
During the Irish DPC investigation, Facebook tried to play down the breach, claiming the publicly available data was “old data”. Meta claimed that the data was scraped illegally: "unauthorized data scraping is unacceptable and against our rules".
In addition, Meta had fixed the issue that led to the personal data being exposed. They made changes to their systems, including removing the ability to scrape the features using phone numbers.
The Irish watchdog has levied a series of punishments against Meta over the past two years. The total amount of fines appointed on Meta by the DPC for breaching GDPR regulations seeks nearly €1 billion. In September 2021, WhatsApp messaging service was hit by €225m over serious infringements of GDPR: it had failed to properly explain its data processing practices in its privacy notice. In March 2022, Meta was fined €17m for GDPR breaches. In September 2022, Meta was fined €405m, because teenagers could create Instagram accounts that publicly displayed their personal data like phone numbers and email addresses. The latest Meta €265 million fine was also hit due to the GDPR infringements.
This Meta fine may not be it's last. The DPC currently has a number of ongoing inquiries about other aspects of businesses of Meta, which date back around 4.5 years. The DPC also has 40 open inquiries for other big tech companies, including 13 involving Meta.
Frequently Asked Questions
Why did Meta was fined €265 million in November 2022?
What are the fines, imposed on Meta for the GDPR breaches?