Meta, the parent company of Facebook, has received another severe fine for breaking European data privacy regulations.
The Irish Data Protection Commission (DPC), the internet giant's primary overseer for the General Data Protection Regulation of the European Union (GDPR), issued the €265 million ($275 million) penalties today (1).
Articles 25(1) and 25(2) of the GDPR, which are concerned with data protection by design and default, are found to have been violated, according to the DPC, which validated this.
The DPC also stated that it is enforcing several corrective measures, stating in its judgment that MPIL (Meta Platforms Ireland Limited) must bring its processes into compliance by completing several specific corrective activities within a specific amount of time.
The fine relates to an investigation that the DPC launched on April 14, 2021, in response to media allegations that the personal information of more than 530 million Facebook users, including e-mail addresses & mobile phone numbers, had been made publicly available online.
Facebook attempted to downplay the breach at the time by saying the information that had been discovered floating about the internet was "ancient data" and that it had solved the problem that had caused the personal information to be exposed.
The business then claimed that it believed the information had been obtained by hackers using a contact importer feature operational until September 2019 before rectifying the breach to prevent data abuse by removing the ability to upload a large list of phone numbers to match with Facebook profiles.
The Allegations Per DPC
The DPC acknowledged that its investigation examined several contact search and importer tools the business provides on its platforms between the period the GDPR went into effect and the time Facebook made improvements to the contact importer tool in the fall of 2019.
According to the DPC, the investigation focused on Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools concerning processing done by Meta Platforms Ireland Limited between May 25, 2018, and September 2019, respectively.
It continued, stating that it had looked at the implementation of "technical and organizational" measures pertinent to Article 25 GDPR and that "the principal problems in this inquiry addressed questions of compliance with the GDPR duty for Data Protection by Design and Default."
"There was a thorough investigation procedure, which involved collaboration with all of the other EU data protection regulatory bodies. The regulator also noted that "those supervisory authorities concurred with the decision of the DPC," highlighting the fact that there was no disagreement regarding this particular decision, which is frequently not the case with cross-border GDPR enforcements (while disagreements between EU regulators can frequently significantly lengthen the time it takes to enforce the GDPR — hence this final decision has been made relatively quickly).”
"Specifically, to the extent that MPIL is engaged in ongoing processing of personal data with a default searchability setting of 'Everyone,' this order requires...MPIL to implement appropriate technical and organizational measures regarding the Relevant Features in respect of any ongoing processing of personal data, to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed, and that by default, no personal data other than those necessary for the processing is processed."
This is not Their First Fine
WhatsApp, owned by Meta, was fined $267 million (about €225 million) just over a year ago for transparency violations. Instagram, which Meta owns, was fined €405 million earlier this fall for violating children's privacy rights. In addition, the business was hit with an $18.6 million penalty in March for a series of earlier Facebook data breaches.
The DPC is also looking into various facets of Meta's business, including a thorough investigation into the legal justification for personal processing data that dates back about 4.5 years.