Facebook: Meta fined €265m by Irish Data Protection Commission

  • Published
A person walks past the Meta logoImage source, Getty Images

Meta, the company which owns Facebook, Instagram and WhatsApp, has been fined €265m (£228m) by the Irish Data Protection Commission (DPC).

The fine is over a data breach that saw the personal details of hundreds of millions of Facebook users published online.

Phone numbers and email addresses of up to 533m users appeared on an online hacking forum.

Facebook said at the time that the information, some of which had already appeared online a number of years ago, was "scraped", but not hacked, by malicious actors through a vulnerability in its tools prior to September 2019.

"Scraping" uses automated software to lift public information from the internet that can then end up being distributed in online forums.

'Considerable risks'

However, the DPC found that Meta was in breach of Article 25 of General Data Protection Regulation (GDPR) rules.

"Because this data set was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction," Data Protection Commissioner Helen Dixon said.

"The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total."

As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

A spokesman for the company said: "Protecting the privacy and security of people's data is fundamental to how our business works. That's why we have cooperated fully with the Irish Data Protection Commission on this important issue.

"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.

"Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully."

In September, Meta lodged an appeal in the High Court against a record fine of €405m imposed on Instagram by the DPC.

It was the largest fine ever handed down by the Irish data watchdog and was issued for breaches relating to the processing of children's data.