The Irish Data Protection Commission fined Meta, which owns Facebook, Instagram, and WhatsApp, €265 million (£228 million) (DPC).
The penalty stems from a data breach that resulted in the online publication of hundreds of millions of Facebook users’ personal information.
Up to 533 million users’ phone numbers and email addresses were posted on a hacking community online.
In April 2021, the DPC started an inquiry.
Facebook claimed at the time that the data, some of which had previously been published online some years prior, was “scraped” but not “hacked” by bad actors using a flaw in its systems before September 2019.
However, the DPC found that Meta was in breach of Article 25 of the General Data Protection Regulation (GDPR) rules.
“Because this data set was so large because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” Data Protection Commissioner Helen Dixon said.
“The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing, and loss of control over their personal data so we imposed a fine of €265m in total.”
As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
A spokesman for the company said: “Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.
“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Comments 1