GDPR Penalty For Facebook Data-Scraping Violation Hits Meta With $275M

Meta, which owns Facebook, has been hit with another big fine for breaking European law on protecting personal information.

The Irish Data Protection Commission (DPC), which is in charge of enforcing the EU’s General Data Protection Regulation for the tech giant, announced the €265 million ($275 million) fine today (GDPR).

DPC Investigation

The DPC confirmed that the decision, which was made on Friday, records violations of Articles 25(1) and 25(2) of the GDPR, which are about protecting data by design and by default.

The DPC said it is also taking several corrective measures, writing: “The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking several specified corrective actions within a certain timeframe.”

The penalty is related to an investigation started by the DPC on April 14, 2021, after the media reported that the personal information of more than 530 million Facebook users, such as email addresses and mobile phone numbers, had been posted online.

GDPR Penalty For Facebook
GDPR Penalty For Facebook

At the time, Facebook tried to downplay the breach by saying that the data that was found online was “old data” and that the problem that led to the personal information being exposed had been fixed.

The company then said that it thought the data had been taken from Facebook profiles by “malicious actors” using a feature called “contact importer” that it had until September 2019, when it changed it to stop people from abusing data by making it impossible to upload a large number of phone numbers to find ones that matched Facebook profiles.

Latest News

The DPC confirmed that its investigation looked at different contact search and importer tools that the company offers on its platforms between the time the GDPR went into effect and the time Facebook made changes to the contact importer tool in the fall of 2019.

“The scope of the inquiry was an examination and evaluation of Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools about processing done by Meta Platforms Ireland Limited (‘MPIL’) between May 25, 2018, and September 30, 2019,” the DPC wrote.

“The important questions in this inquiry were about compliance with the GDPR obligation for Data Protection by Design and Default,” it said, adding that it had looked at how “technical and organizational” measures related to Article 25 GDPR were put into place (which deals with data protection by design and default).

“There was a thorough investigation process that included working with all of the other data protection watchdogs in the EU. “Those supervisory authorities agreed with the DPC’s decision,” the regulator also said, drawing attention to the fact that there was no disagreement over this particular decision, which is not always the case with cross-border GDPR enforcements (disputes between EU regulators can often make it take a lot longer to enforce the GDPR, which is why this final decision came out so quickly).

Graham Doyle, the deputy commissioner of the DPC, told TechCrunch that the corrective measures it has given to Meta as part of this decision are “an order under Article 58(2)(d) GDPR… to bring its processing into compliance with the GDPR in the way specified in this Decision.” The company has three months from the date of the final decision to do this.

GDPR Penalty For Facebook

“Specifically, to the extent that MPIL is engaged in ongoing processing of personal data that includes a default searchability setting of “Everyone,” this order requires… MPIL to implement appropriate technical and organizational measures regarding the Relevant Features for any ongoing processing of personal data, to make sure that, by default, only personal data that are necessary for each specific purpose of the processing are processed, and that by default, only personal data that are necessary for each specific purpose of the processing are processed.”

In this case, “Relevant Features” are Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer, Messenger Search, and Messenger Contact Creator, which is a similar feature.

Meta Statement

Meta was asked what she thought. A spokesman couldn’t say for sure if it will appeal or not, but the tech giant said it is “carefully reviewing” the decision.

Here’s Meta’s statement:

Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.

The company also said that since this breach, it has taken several steps to stop data scraping. These include setting rate limits and using technical tools to stop suspicious automated activity, as well as giving users controls to limit how much of their information is visible to the public.

Meta has been fined before, and the GDPR fine may not be the last.

About a year ago, WhatsApp, which is owned by Meta, was fined €225 million (about $267 million) for not being open enough.

Early this fall, Instagram, which is owned by Meta, was fined €405 million for breaking children’s privacy rules. While the company was also fined around $18.6 million in March for a series of Facebook data breaches that happened in the past.

The DPC is also looking into other parts of Meta’s business, including a big investigation into the legal basis, Meta says it has to process people’s data going back about 4.5 years.

Forward this news to your friends. Also, visit our website regularly for tech-related updates.