Daily Management Review

Irish Data Protection Commission Imposes €265m Fine On Meta Over Facebook Data Breach


Irish Data Protection Commission Imposes €265m Fine On Meta Over Facebook Data Breach
The Irish Data Protection Commission fined Meta, the company that owns Facebook, Instagram, and WhatsApp, €265 million (DPC). The fine is for a data breach that resulted in the personal information of hundreds of millions of Facebook users being published online.
An online hacking forum revealed the phone numbers and email addresses of up to 533 million users. In April 2021, the DPC launched an investigation.
Facebook stated at the time that the information, some of which had previously appeared online, was "scraped" but not "hacked" by malicious actors prior to September 2019 via a vulnerability in its tools.
"Scraping" is the use of automated software to extract public information from the internet, which is then distributed in online forums.
However, the DPC determined that Meta violated Article 25 of the General Data Protection Regulation (GDPR) rules.
"Because this data set was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction," Data Protection Commissioner Helen Dixon said.
"The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total."
In addition to the fine, Meta has received a reprimand and an order requiring it to bring its processing into compliance by implementing a series of specified corrective actions within a specific timeframe.
"Protecting the privacy and security of people's data is fundamental to how our business works. That's why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully," said a spokesman for the company.
Meta filed an appeal in the High Court in September against the DPC's record fine of €405 million imposed on Instagram.
It was the largest fine ever imposed by Ireland's data watchdog for violations involving the processing of children's data.