Irish DPC Fines Meta Platforms €265 million for GDPR Infringements
Meta Platforms has been hit with another financial penalty for infringements of the EU’s General Data Protection Regulation (GDPR). The latest penalty – €265m ($275m) – is one of the largest to date to resolve GDPR violations and was imposed by the Irish Data Protection Commission (DPC).
In 2019, a large dataset was posted on the Internet that contained the personal data of more than 530 million Facebook users. The data, which included phone numbers and email addresses, had been scraped from public Facebook profiles. After reading the reports in the media, the DPC launched an investigation of Meta Platforms on April 14, 2021, and examined the data processing activities of Meta Platforms, specifically looking at Facebook Search, Facebook Messenger Contact Importer to assess compliance with Article 25 of the GDPR.
Article 25 of the GDPR requires companies to implement data protection by design and default. The DPC determined that from May 25, 2018, until September 2019, Meta Platforms had failed to implement appropriate safeguards to protect the personal data of EU citizens, which was an infringement of Article 25(1) and (2). A significant percentage of the 530 million users affected by the data breach were residents of the EU at the time of the data breach.
Under the one-stop-shop mechanism of the GDPR, one data protection authority is responsible for investigating cross-border infringements of the GDPR, and because the EU base of Meta Platforms is in Ireland, that responsibility falls on the Irish DPC. This is not the first financial penalty to be imposed by the DPC on Meta Platforms to resolve GDPR infringements. The Irish DPC had previously fined Meta Platforms €17 million, and its subsidiaries, WhatsApp and Instagram were fined €225 million and €405m respectively, bringing the total GDPR financial penalties up to €912 million.
Meta Platforms was issued with a reprimand and was ordered to bring its data processing activities in compliance with the GDPR. Meta Platforms confirmed that action was promptly taken to resolve the issue that allowed data to be scraped from its site. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules.”