Meta (formerly Facebook) has been slapped with roughly $275 million in fines by Ireland’s data privacy regulator for violating the European data protection law.
The Irish Data Protection Commission (DPC) has announced the hefty penalty in conclusion to the investigation into Meta’s failure to prevent the massive data breach that took place in 2019. The incident impacted over 530 million Facebook users, resulting in the exposure of their personal information such as email addresses and phones numbers online. The DPC, which is the lead privacy regulator overseeing Meta’s operations under the European Union’s General Data Protection Regulation (GDPR), is imposing a range of remedial measures on the tech giant. The decision to impose the fine was made last Friday, according to the watchdog.
The inquiry was opened in April last year after a report by Business Insider revealed that personal details of more than 500 million Facebook profiles had been made available on a hacker website. Meta tried to play down the massive breach, claiming user information available on the hacker site was “old data” and that the issue had been fixed.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Meta had said in an official statement. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists.”
In less than two years, the Irish regulator has fined Meta almost $1 billion for privacy violations under the GDPR. In September, Instagram was fined a staggering $400 million for irresponsible handling of children’s data; in March, the regulator imposed a penalty of over $18 million for the company’s failure to have in place appropriate technical and organisational measures to ensure user safety and security; and in October 2021, WhatsApp was fined nearly $266 million for privacy breaches.
Meta said it is reviewing the DPC’s decision “carefully”.
“Protecting the privacy and security of people’s data is fundamental to how our business works,” Meta said in a statement issued on Monday. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”
The DPC regulates Meta, Google, TikTok, Amazon and other tech corporations whose EU headquarters are located in Ireland. Reports suggest that the data privacy watchdog is currently leading 40 inquiries into tech giants, of which 13 concern Meta alone. Last year, the DPC fined Amazon over $886 million, which is the largest penalty imposed on a tech firm under the EU law.
