Meta Platforms was fined 265 million euros (U.S. $274 million) for failing to put in place adequate measures to protect users’ data after a leak compromised the personal details of more than half a billion individuals.
The Irish Data Protection Commission (DPC)—Meta’s European regulator—also reprimanded the company and imposed a range of corrective technical and organizational measures it must comply with within a three-month deadline.
In a decision adopted Nov. 25 and announced Monday, the data regulator said Meta infringed Article 25 of the General Data Protection Regulation (GDPR) over the way users’ details were scraped from public profiles from the date the EU’s privacy legislation went into effect on May 25, 2018, up until September 2019.
Meta failed to protect data “by design and default” on its Facebook and Instagram messenger apps, the Irish DPC concluded. All other EU data regulators agreed with the Irish DPC’s decision, which they were given last month.
The data regulator began its inquiry in April 2021, following media reports the personal details of more than 530 million Facebook users were found available on a website for hackers. Data included full names, locations, birthdates, email addresses, and phone numbers.
At the time, Facebook said the data had been stolen and made public from a reported data breach that took place in early 2018—before the GDPR came into force—and the information was being recycled. Since the incident predated the GDPR, Meta originally argued it had no new case to answer.
The investigation raised questions among legal experts about whether companies could—or should—be punished more than once for the same data leak as some believed the GDPR does not explicitly state what would happen in case of a breach not being remedied effectively by the organization that subsequently led to more people being affected later.
“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue,” said a Meta spokesperson in an emailed statement. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
In September, the Irish DPC fined Instagram a record €405 million (then-U.S. $401 million) for failure to protect teenage users’ data.
In March, the regulator issued Meta a €17 million (then-U.S. $18.6 million) fine after investigating a dozen breach notifications. The Irish DPC found the tech firm processed personal data unlawfully and did not have appropriate technical and organizational measures in place to secure it.
Last year, Meta subsidiary WhatsApp received a GDPR fine of €225 million (then-U.S. $267 million) for data processing violations.