- The Data Protection Commission has announced the conclusion to an inquiry into Meta, imposing a fine of €265 million and a range of corrective measures.
- The DPC started the investigation on 14 April 2021 with the discovery of a collated dataset of Facebook personal data that had been made available on the internet.
- Facebook stated that the data was gathered by exploiting a flaw in its Contact Import and it was fixed in 2019.
The European Union’s Data Protection Commission has found Meta Platform Ireland, the parent company of Facebook, Instagram, and WhatsApp, in violation of General Data Protection Regulation rules. The commission also fined the company $275.5 million and demanded the company make changes to protect its users’ data.
533 million users’ data
The incident started when breached personal data was discovered in April 2021. The DPC started an investigation and found out that 533 million Facebook users’ data was published on a hacker forum, including personal information, phone numbers, Facebook IDs, names, genders, locations, relationship statuses, occupations, dates of birth, and email addresses.
Facebook admitted that the third parties exploited a bug in the Contact Importer tool to associate phone numbers with a Facebook ID and managed to scrape the information. The bug was fixed in 2019, and Facebook claims that the data was collected before the fix.
As a result of the investigation, DPC decided that Meta infringed Articles 25(1) and 25(2) of the GDPR:
- 25(1) – The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.
- 25(2) – The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
The Data Protection Commission said,
« There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.
The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on MPIL. »