Facebook owner Meta has been fined €265 million ($275m) by the Irish Data Protection Commission (DPC) after the personal data of more than half a billion users was found on a hacking site.
The social media behemoth was found to have broken multiple Data Protection Regulation (GDPR) laws after an inquiry into last April’s data breach concluded that the company had failed to protect the data of more than 530 million Facebook users.
The DPC reached its decision yesterday following a “comprehensive inquiry process including cooperation with all of the other data protection supervisory authorities within the EU.”
The commission cited Meta’s infringement of Articles 25 (1) and 25 (2), which relate to data protection by design and default in their inquiry records.
As well as the hefty fine, the DPC said it will also impose a range of corrective measures, stating: “the decision imposed a reprimand and an order requiring MPIL (Meta Platforms Ireland Limited) to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
Meta had initially downplayed the breach when it happened in 2019, stating that it involved ‘old’ data from 2019 and that it had fixed the scraping issue in August of that year.
In a statement published by TechCrunch, Meta said “we made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules.”
Meta’s costly data battle continues
This is not the first time Meta has faced repercussions for violating data privacy regulations – and it will likely not be the last.
Just two months ago, the tech giant faced a record €405 million penalty after it was found to have violated multiple privacy regulations relating to the handling of children’s data on its popular social platform Instagram.
Meanwhile, just over a year ago, the company’s leading mobile messaging platform Whatsapp was fined €225M for “severe” and “serious” infringements of GDPR for failing to comply with its transparency rules for data transfers.
This latest sanction brings the total fines imposed on Meta by the DPC to nearly 1 billion since September last year, and with the DPC having multiple ongoing investigations into other aspects of Meta’s business, future penalties for the way the company handles data are highly likely.
To read more about data, visit our dedicated Data Management Page.
Although Meta representatives are yet to confirm or deny whether the company was going to appeal the decision, the technology giant is reportedly taking a closer look at the decision.
“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue”, Meta said in a statement published by TechCrunch.
Endless penalties, little change
As the European Union voices its concern over the way in which large cooperations handle the personal data of their users, experts believe that penalties like the one given to Meta will do little to change how companies like Meta manage data.
“GDPR envisaged the imposition of such fines in part to serve as a deterrent to other companies which might consider breaching the law, David Hackett, head of data protection in the Ireland office of law firm Addleshaw Goddard told the Guardian.”
“We are likely to see an increased debate about whether such fines actually influence corporate behaviour or if some companies simply see them as an added cost of doing business,” he added.
In July Meta launched a new user account system for the company’s Metaverse strategy which enables users to have multiple accounts allowing them to only upload certain personal information.
It remains unclear whether this new format will comply with GDPR regulations, but the tech giant sees the Metaverse as the future of its business strategy, despite its poor adoption leading to revenue loss and job cuts.