The Irish Data Protection Commission (DPC) has imposed a fine of over €265 million on Meta for a 2019 breach that compromised the data of European Union officials, including EU Justice Commissioner Didier Reynders, and Luxembourg Prime Minister Xavier Bettel.
According to reports, over 533 million records were leaked and exposed on a public forum. It included personal data such as names, birthdates, and Facebook IDs. Nearly 32 million US and 11 million UK users were impacted.
With the collaborative inquiry conducted by all the other data protection supervisory authorities with the EU, the decision was taken by the DPC. Due to the violation of Articles, 25(1) and 25(2) GDPR, the fine was declared on 25 November 2022. Meta has been asked to comply with the data processing by working on the remedial plan of action in the given timeframe.
How the investigations on Meta began?
The inquiry began on 14 April last year, stemming from several media reports that pointed towards personal data from Facebook being found on the internet. The inquiry commission examined and assessed the samples of data on the web and found proof of a data breach leading to fine and corrective measures on the social media giant. Data from Facebook search, Facebook messenger contact importer, and Instagram contact importer tools were investigated.
The inquiry addressed concerns with GDPR’s ‘Data Protection by Design and Default’ requirements of Article 25 GDPR. Authorities checked the data handled by Meta Platforms Ireland between 25 May 2018 to September 2019 to confirm whether it was in compliance with the General Data Protection Regulation (GDPR), which caters to the data protection law of the EU. GDPR applies to all individuals inside the European Economic Area (EEA).
What is data scrapping?
While Meta said that the data in question was ‘scrapped’ from Facebook to improve search results using phone numbers, the DPC found it violating the privacy of over half a billion Facebook users. The company affirmed that such a technique of automated software taking public data from the internet can lead to it being distributed on online forums. However, the company said that it has teams to detect privacy breaches and it is the work of hackers to lift data, not from its systems but scrapping it from its platform prior to September 2019.
Meta has confirmed that scrapping as functionality is no longer available after it detected the issue of the personal data breach. Meta has been on the DPC radar for years now, with this fine being the latest one in a row. For its various data privacy violations, Meta has been fined over $900 million so far. Due to data breaches impacting the customers using WhatsApp and Instagram, the company has been fined for several GDPR violations.