Facebook’s parent company, Meta, has suffered another heavy penalty for violating European data protection laws.
The €265 million (~$275M) fine is announced today by the Irish Data Protection Commission (DPC), the tech giant’s top regulator for the European Union’s General Data Protection Regulation (GDPR).
The District People’s Committee confirms that the decision has been made adopted on Friday, documenting violations of Articles 25(1) and 25(2) GDPR — focusing on data protection by design and default.
The DPC said it is also adopting a range of remedies, writing: “Decision to impose a reprimand and order to request MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a specified series of remedial actions within a specific time frame.”
The penalty relates to an investigation opened by the DPC on April 14, 2021, after the media reported more than 530 million Facebook users’ personal data — including email addresses and phone numbers. cell phone — exposed online.
At the time, Facebook tried to downplay the breach – claiming that the data found floating around the network was “old data” and that it fixed the issue that resulted in personal data being exposed.
The company followed that by saying that it believed the data was taken from Facebook profiles by “malicious actors” using the contact import feature it provided until September 2019, before when tweaking it to prevent data abuse by blocking the ability to upload a large set of phone numbers to find the ones that match the Facebook profile.
The DPC confirmed its investigation looked at a variety of contact import and search tools the company offers on its platforms from the date the GDPR was introduced to the date of the change to the contact import tool Facebook implemented in the fall of 2019.
“The scope of the investigation involves testing and evaluation of Facebook Search, Facebook Messenger Contacts Importer and Instagram Contacts Importer in connection with processing by Meta Platforms Ireland Limited. (‘MPIL’) for the period from May 25, 2018 to September 2019,,” wrote the District People’s Committee.
“The key issues in this investigation relate to questions about compliance with the GDPR obligation for Data Protection by Design and by Default,” it added, specifying that it examined the implement “technical and organizational” measures related to Article 25 GDPR (regarding data protection by design and default).
“There is already a comprehensive investigative process, including cooperation with all other data protection watchdogs in the EU. Those watchdogs agreed to the DPC’s decision,” the regulator also said – stressing that there was no disagreement over this particular decision, which is not usually the case with enforcement agencies. GDPR cross-border (while disputes between EU regulators can be frequent). significantly increased the time it took to implement GDPR — so this final decision was made relatively quickly).
DPC deputy commissioner, Graham Doyle, told TechCrunch that the remedies it has applied to Meta as part of this decision are “orders under Article 58(2)(d) GDPR… to bring proceedings forward. its management complies with the GDPR in the manner set forth in this Decision” — with the company receiving a period of three months from the date of the final decision to comply with it.
“Specifically, to the extent that MPIL is engaged in the ongoing processing of personal data including setting the default searchability to ‘Everyone’, this command requires… MPIL to take measures appropriate technical and organizational measures for the relevant Features for any ongoing processing of personal data, to ensure that, by default, only the personal data required are processed for each specific processing purpose and by default personal data is not accessible without the intervention of an individual to an unspecified number of natural persons,” he said. added, emphasizing: “This Order is made to ensure compliance with Article 25(2) GDPR.”
“Relevant features” in this context are the Facebook Contact Importer; Importer Contact Messenger; Instagram Contact Importer; and Messenger Search; and its variant Messenger Contact Creator features.
Meta has been contacted for feedback. A spokesman did not confirm whether it would seek an appeal – but the tech giant said it was “reviewing” the decision “carefully”.
Here is Meta’s statement:
“Protecting people’s privacy and data security is fundamental to the way we do business. That is why we have fully cooperated with the Irish Data Protection Commission on this important matter. We made changes to our systems during the time mentioned, including removing our ability to collect features in this way using phone numbers. Unauthorized data collection is unacceptable and goes against our rules and we will continue to work with our colleagues on this industry challenge. We are reviewing this decision carefully.”
The company added that it has put in place a series of measures to combat data collection since this breach – including imposing speed limits and deploying technical tools to combat the activity. automatically, as well as providing users with controls to limit the public visibility of their information.
The GDPR penalty isn’t the first for Meta — and it may not be the last.
Just over a year ago, Meta-owned WhatsApp was fined €225M (~$267M) for transparency violations. While, back in marchthe company was also fined about $18.6 million for a series of historical data breaches by Facebook.
The DPC also has some ongoing questions about other aspects of Meta’s business — not least a major investigation into the legal basis that Meta claims can process people’s data since about 4.5 years ago.