Facebook parent company Meta fined €265million by Irish data watchdog for breaching EU law

Facebook parent company Meta have been fined €265million by Ireland's data protection watchdog. Credit: PA Archive/PA Images

Tech giant Meta has been fined €265million by Ireland’s data protection watchdog for breaching EU data privacy laws.

The Data Protection Commission (DPC) issued the sanction against the Facebook parent company for failing to protect millions of Facebook users’ personal data, such as telephone numbers and email addresses, from being “scraped” and published on the internet.

In a statement on Monday the DPC said Meta had been fined for “infringement” of sections of the EU’s GDPR rules that cover technical and organisational measures aimed at protecting user data.

It brings the total fines issued against Meta in the past 18 months to more than €900m.

The latest investigation by the DPC into Meta began in April last year “on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet”.

The data, which was found on a website for hackers, included names, phone numbers, locations, birthdates and email addresses of Facebook users.

Meta said the data had been “scraped” from Facebook.

In a statement the company added: “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.

“Unauthorised data scraping is unacceptable and against our rules.”

The DPC added: “The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (MPIL) during the period between 25 May 2018 and September 2019.

“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.

“The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept).”

The DPC said after a “comprehensive inquiry process” that it had “recorded findings of infringement of Articles 25(1) and 25(2) GDPR”.

It ordered Meta to take remedial action to ensure “scraping” does not happen again.

“The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe,” a statement from DPC said.

“In addition, the decision has imposed administrative fines totalling €265m on MPIL.”

The fine was agreed with other EU data regulators.

There have been increasing calls to better resource Ireland’s DPC, which is the de facto lead EU watchdog of data protection and privacy rules due to a large number of tech multinationals – including Facebook, Apple and Google – basing their European headquarters in Dublin.

In July, the Irish Government announced that two additional data protection commissioners would be hired, and that the current commissioner, Helen Dixon, would be promoted to chairwoman of the DPC.

It said that this was being done in response to “the increased working burden and investigative complexity has been regularly highlighted”.

The Irish watchdog issued a €405m fine to Meta-owned Instagram in September over the way in which it handled teenagers’ personal data, making it the largest fine the authority has ever issued.

Instagram said it would appeal against the decision.

In March the regulator also issued a fine of €17m against Facebook for breaching EU privacy laws.

Last year Meta-owned messaging service WhatsApp was hit with a fine of €225m euro by the DPC for breaching European Union laws on transparency, and the sharing of user information with other companies owned by Facebook.

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know.