The Irish Data Protection Commission is finally starting to answer its critics after issuing a fourth fine – of €265m (£210m) – against Facebook parent Meta for yet another major breach of GDPR, bringing the regulator’s total penalties against the social media giant to €912m (£786m) in just over 12 months.
The latest penalty relates to a major data leak which first emerged over the Easter weekend of 2021, following reports that a hacker had posted a huge cache of Facebook user data on a forum. It was available to download for free and allowed anyone to look up a Facebook user’s record using their phone number.
It contained details on more than 533 million Facebook users from 106 countries, including 44 million from Egypt, 39 million in Tunisia, 32 million in the US and 11 million in the UK. The data included full names, phone numbers, gender, date of birth, location, relationship status and email address.
At the time, Facebook tried to down play the seriousness of the leak, claiming it was publicly available information and had been scraped before changes were made to its platform in 2018 and 2019.
In a blog post Facebook product management director Mike Clark said that “malicious actors” had accessed the user data “not through hacking Facebook systems” but by scraping it from people’s Facebook profiles prior to September 2019.
But the Irish DPC was having none of it, and launched an investigation.
The regulator has now confirmed its inquiry looked at a variety of contact search and importer tools the company offers on its platforms between the date the GDPR came into application and the date of changes to the contact importer tool Facebook made in fall 2019.
The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools “in relation to processing carried out by Meta Platforms Ireland during the period between May 25 2018 and September 2019”.
The regulator went on to say that there had been “a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC”.
Ultimately, Meta was found to be in breach of Articles 25(1) and 25(2) GDPR, which are focused on data protection by design and default.
Data Protection Commissioner Helen Dixon said: “Because this data set was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction.
“The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total.”
In a statement, Meta said: “Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.
“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
The company claimed that it has implemented a range of measures to combat data scraping since this breach.
Even so, the fines are now totting up for Meta and its subsidiaries after accusations that the Irish DPC – the lead regulator for Meta in the EU – was being too slow to react.
In September 2021, the DPC imposed a €225m (£219m) fine on WhatsApp for severe breaches of GDPR, but only after pressure from other European regulators to increase the sanction from a proposed €50m (£44m).
Meanwhile, in March this year, the company was fined €17m (£14.3m) for a string of historical Facebook data breaches and, in September, its Instagram division was hit with a €405m (£349m) penalty for children’s privacy violations.
Related stories
Facebook ‘not bothered’ over data leak affecting 533m
Instagram hit with €405m fine for kids’ privacy breach
Irish slap Meta with €17m GDPR fine but critics remain
Privacy group vows to ensure that WhatsApp coughs up
Irish up WhatsApp fine 350% to €225m after EDPB call
Irish GDPR investigations ‘hampered by ancient tech’
EU regulators mull €50m Irish GDPR fine for WhatsApp