Facebook parent Meta has been hit with another heavy fine for breaching European data protection law.
The €265 million (~$275 million) fine was announced today by the Irish Data Protection Commission (DPC), the tech giant’s lead regulator for the European Union’s General Data Protection Regulation (GDPR).
The PDC confirmed that the decision, which was approved on Friday, records findings of violation of Articles 25(1) and 25(2) GDPR — which are focused on data protection by design and by default.
The DPC said it is also putting in place a number of remedial measures, writing: “The decision has issued a warning and an order that MPIL requires [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a series of specified corrective actions within a specified time frame.”
The sentence relates to an investigation which was opened by the DPC on 14 April 2021, following media reports of the online exposure of the personal data of more than 530 million Facebook users – including email addresses and mobile phone numbers.
At the time, Facebook tried to downplay the breach – claiming that the data found circulating online was “old data” and that it had fixed the problem that led to the exposure of personal data.
The company followed that up by saying it believed data had been deleted from Facebook profiles by “malicious actors” using a contact importer feature it offered until September 2019, before patching it to prevent data abuse by blocking the ability to load a large group. of phone numbers to find those that match Facebook profiles.
The DPC confirmed that its investigation looked at a variety of contact search tools and importers that the company offers on its platforms between the date of entry into force of the GDPR and the date of changes to Facebook’s contact importer tool made in autumn 2019 .
“The purpose of the investigation concerned an examination and evaluation of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to the processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019”, writes DPC.
“The material issues in this investigation concerned issues of compliance with the GDPR obligation on Data Protection by Design and Default,” he added, specifying that he had examined the implementation of “technical and organizational” measures in relation to Article 25 GDPR ( which addresses data protection by design and default).
“There was a comprehensive investigative process, including cooperation with all other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the DPC’s decision,” the regulator also said – highlighting the lack of disagreement over this particular ruling, which is often not the case with cross-border enforcement of the GDPR (while disagreements between regulators The EU can often significantly increase the time it takes to implement the GDPR – which is why this final decision has come relatively quickly).
DPC Deputy Commissioner Graham Doyle told TechCrunch that the remedial measures he has applied to Meta as part of this decision are “an order pursuant to Article 58(2)(d) of the GDPR… to bring its processing in line with GDPR in the manner set out in this decision” – with the company having three months from the date of the final decision to comply with it.
“Specifically, to the extent that MPIL is engaged in ongoing processing of personal data that includes a default search setting of ‘All,’ this order requires… MPIL to implement appropriate technical and organizational measures regarding with the Relevant Features in relation to any ongoing processing of personal data, to ensure that, by default, only personal data that is necessary for each specific purpose of processing is processed and that by default personal data does not become accessible without the intervention of the individual to an indefinite number of natural persons. added, emphasizing: “This order is made to ensure compliance with Article 25(2) GDPR”.
“Relevant Features” in this context are the Facebook Contact Importer; Messenger Contact Importer; Instagram Contact Importer; and Messenger Search; and features of its Messenger Contact Creator variant.
Meta was contacted for a response. A spokesperson did not confirm whether or not it will seek an appeal – but the tech giant said it is “considering” the decision “carefully”.
Here is Meta’s statement:
“Protecting the privacy and security of people’s data is fundamental to how our business operates. That is why we have co-operated fully with the Irish Data Protection Commission on this important matter. We’ve made changes to our systems in the meantime, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue to work with our colleagues on this industry challenge. We are carefully reviewing this decision.”
The company added that it has put a number of measures in place to combat data collection since the breach – including applying rate caps and deploying technical tools to combat suspicious automated activity, as well as providing users with controls to limit public visibility of their information.
The GDPR fine is not the first for Meta – and it may not be the last.
Just over a year ago, Meta-owned WhatsApp was fined €225 million (~$267 million) for transparency violations. In March, the company was also fined about $18.6 million for a series of historic Facebook data breaches.
The DPC also has a number of ongoing investigations into other aspects of Meta’s business – not least a major investigation into the legal basis Meta claims it is able to process people’s data dating back some 4.5 years.