The Data Protection Commission (DPC) has imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (MPIL) (data controller for Facebook), bringing the total amount that Meta has been fined by European regulators to nearly €1bn. The total fines include a fine of €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law and a €405mn fine against Instagram for breaching data laws and failing to protect children’s data in particular.
The DPC began an inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data when details of more than 500mn Facebook and Instagram users were published online. The scope of the inquiry concerned the period between 25 May 2018 and September 2019, and assessed Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools.
The material issues concerned questions of compliance with the GDPR obligation for data protection by design and default. The DPC examined the implementation of technical and organizational measures pursuant to article 25 of the GDPR, which deals with this concept. The inquiry process included cooperation with other EU data protection supervisory authorities, which have all agreed with the decision of the DPC. The decision, which was adopted on Friday 25 November, records findings of infringement of articles 25(1) and 25(2) GDPR.
The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
The decision has imposed administrative fines totalling €265 million on MPIL. This fine comes in a year when Meta’s net income fell to $6.69bn from $10.39bn last year and during which Meta dismissed more than 11,000 staff as it restructured its business following a decline in revenues and competition from rivals such as TikTok.
The DPC fine relates to a tool designed to help users find friends and people they know through importing contacts from their phones on to the Facebook or Instagram app. The personal data of 533mn users across 106 countries were published on a hacking forum in 2019, including names, locations and some email addresses. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.
A Meta spokesman said: "Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.
"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”