By Luca Bertuzzi
(EurActiv) — The Irish Data Protection Commissioner levied a €265 million fine on Monday (28 November) on Meta-owned Facebook and Instagram over their data scraping practices and ordered a set of remedial actions.
The inquiry spurs from massive data leaks of Facebook personal data dumped online in a hacker forum in April 2021, which included sensitive information such as full names, locations, birthdates, phone numbers and email addresses.
The data leak concerned 533 million people in 106 countries – in the EU, around 86 million people were affected. At the time, Facebook said that the leaked data was old since the mass data scraping occurred because of a vulnerability that the company had patched in August 2019.
As most Big Tech companies have their European headquarters in Ireland, the Irish data protection authority is tasked with enforcing on them the General Data Protection Regulation (GDPR), the EU’s privacy rulebook.
A few days after the leak, the Irish authority announced a probe into the matter to examine whether Facebook’s data harvesting practices complied with the GDPR’s principle of data protection by design and default.
In particular, the investigation related to Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer, although Instagram was not directly involved in the leaks. These tools are intended to help users to find friends and acquaintances on Facebook and Instagram based on their phone numbers.
The decision, adopted last Friday, concluded that between 25 May 2018 and September 2019, the social networks violated the European privacy rules, and imposed a set of specific remedial actions as well as an administrative fine of €265 million.
A Meta spokesperson told EURACTIV that the company had made “changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers”.
“Unauthorised data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Meta can appeal the decision in court.
The fine is the second largest against Meta so far, following a €405 million sanction against Instagram for breaching children’s privacy and surpassing a €225 million penalty against WhatsApp for failing to comply with the EU’s transparency requirements.
These past decisions on Instagram and WhatsApp went through the so-called dispute resolution mechanism since the other European data protection authorities contested the Irish authority’s conclusion and requested heftier fines. However, in this case, none objected to the decision.
Meta’s services have been sanctioned for around €1 billion for data protection breaches under EU law. The latest decision comes as further bad news for the company, which has seen a sharp decline in revenues in the past months and has had to lay off more than 11,000 staff members recently.