Meta, the parent company of Facebook, has once again found itself in hot water over data privacy issues, this time in the form of a hefty €265 million ($275 million) fine imposed by the Irish Data Protection Commission (DPC). Here’s a breakdown of the key details:
GDPR Violations
The fine stems from Meta’s violations of the General Data Protection Regulation (GDPR), specifically Articles 25(1) and 25(2), which pertain to data protection by design and default. According to the DPC, these GDPR provisions were breached, and Meta was held accountable for its actions.
Corrective Measures
In addition to the substantial fine, the DPC has mandated several corrective actions for Meta. Meta Platforms Ireland Limited (MPIL), a subsidiary of Meta, has been instructed to bring its processes into compliance by implementing specific corrective measures within a specified timeframe.
Investigation Background
The investigation that led to this fine was initiated by the DPC on April 14, 2021, in response to media reports alleging that the personal information of over 530 million Facebook users, including email addresses and mobile phone numbers, had been publicly exposed online.
Facebook’s Response
At the time of the breach, Facebook downplayed the severity of the incident, describing the exposed data as “ancient” and asserting that the issue had been resolved. Facebook attributed the breach to hackers exploiting a contact importer feature that was active until September 2019. The company claimed it had addressed the problem by removing the ability to upload large lists of phone numbers for matching with Facebook profiles.
Investigation Scope
The DPC’s investigation focused on various contact search and importer tools offered by Meta across its platforms. These tools include Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer. The investigation spanned the period from May 25, 2018, when the GDPR came into effect, to September 2019, when Facebook made improvements to its contact importer tool.
GDPR Compliance
The crux of the investigation centered on Meta’s compliance with the GDPR’s requirement for Data Protection by Design and Default. The DPC scrutinized the implementation of “technical and organizational” measures, particularly those related to Article 25 GDPR.
Collaborative Efforts
The DPC emphasized that it conducted a thorough investigative process, collaborating with other EU data protection regulatory bodies. Importantly, these supervisory authorities unanimously agreed with the DPC’s decision, indicating a rare consensus among EU regulators regarding this particular case.
Meta’s Ongoing Scrutiny
This is not the first time Meta has faced significant fines for data privacy violations. WhatsApp, owned by Meta, was fined €225 million a little over a year ago for transparency breaches. In the same vein, Instagram, also owned by Meta, incurred a €405 million fine earlier this year for infringing on children’s privacy rights. Additionally, Meta was slapped with an $18.6 million penalty in March for a series of earlier data breaches related to Facebook.
The DPC continues to scrutinize various aspects of Meta’s operations, including a comprehensive investigation into the legal justifications for processing personal data that extends back approximately 4.5 years. This ongoing oversight underscores the EU’s commitment to upholding data privacy regulations and holding tech giants accountable for their actions.
