On Monday, the Irish Data Privacy Commission (DPC) imposed a fine of $276 million and a range of corrective measures on Meta in response to a data leak of over 533 million Facebook users between May 2018 and September 2019.
The Irish watchdog, which supervises Meta, as its European headquarters are located in Dublin, found that Facebook had violated Europe’s General Data Protection Regulation (GDPR) laws, specifically the Data Protection by Design and Default, which meant that the platform was not designed to protect users’ privacy.
Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry: https://t.co/xW9nVqiJ2Y pic.twitter.com/6iDYnyVk5R
— Data Protection Commission Ireland (@DPCIreland) November 28, 2022
At the time time of discovery last April, Facebook justified that the vulnerability used to scrape data had been fixed, as it was the same one reported in a previous leak in January last year. The data breach exposed the personal information of users, including birthdates, phone numbers, Facebook IDs, and full names. Among the users impacted were European Union (EU) Justice Commissioner Didier Reynders, Luxembourg Prime Minister (PM) Xavier Bettel, and dozens of other EU officials.
The decision also imposed a reprimand and an order requiring Meta to “bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
In a statement, a Meta spokesperson said, “Protecting the privacy and security of people’s data is fundamental to how our business works. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
DPC's final decision comes one month after the draft decision was submitted under art. 60 of the GDPR to all other EU concerned DPAs within @EU_EDPB for their opinion. Because EU DPAs agreed with DPC's decision, the EDPB did not have to adopt a binding decision as per art. 65 ⬇️
— Sebastian (@Sebastian_DanEU) November 28, 2022
It marked the third time the DPC fined Meta this year. In March, the DPC imposed a penalty of $18.6 million for exposing the data of 30 million Facebook users and another $403 million in September for the improper handling of children’s data on Instagram. In fact, Meta was also asked to pay $267 million for violating Europe’s privacy laws on WhatsApp last year. Meta has previously called these charges “entirely disproportionate.”
The decision also comes against the backdrop of the DPC facing pressure from privacy activists for failing to impose stringent measures and significant penalties on tech companies for data leaks. Though tech giants bear the brunt of such investigations, very few pay up.
The largest GDPR fine of $774 million was imposed on Amazon last year in Luxembourg, which said the processing of personal information by the company was not in compliance with GDPR regulations. However, Amazon is still fighting the penalty.
Similarly, the French regulators fined Google $155 million in January for not providing users with a proper mechanism to decline cookie trackers used by online advertisers to trace the user’s internet browsing history.
The EU has introduced two new laws for tech companies related to restricting potential anticompetitive conduct, and another ordering them to show that they have strong content-moderation systems. The companies are currently discussing the implementation of these provisions with the European Commission.
However, experts are not sure whether these penalties—albeit significant—will lead to any tangible results in the industry regarding data breaches if they will just be considered to be another cost of doing business.
The DPC has opened 13 investigations into Meta, including one to investigate whether the company forces users to accept advertisements based on their behaviour and another to check whether the standard build of digital ad auctions complies with the bloc’s laws.