Meta, the parent company behind social media brands Facebook and Instagram, has been hit with another hefty penalty for breaching European data protection law, this time from the Irish Data Protection Commission (DPC).
According to an official announcement, the Irish Data Protection Commission (DPC), the tech giant’s lead regulator for the European Union’s General Data Protection Regulation (GDPR), has issued the €265 million (~$275M) fine.
The DPC officially confirmed that the decision records findings of infringement of Articles 25(1) and 25(2) GDPR, focused on data protection by design and default.
Per the announcement: “The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
Additionally, the firm believed the data had been scraped from Facebook profiles by “malicious actors” using a contact importer feature it offered up to September 2019, before tweaking it to prevent data abuse by blocking the ability to upload a large set of phone numbers to find phone numbers that matched those found within Facebook profiles and Facebook user data.
“The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019,” the DPC wrote.
“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” it added, specifying that it had examined the implementation of “technical and organisational” measures relevant to Article 25 GDPR (which deals with data protection by design and default).
“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC,” the regulator also said — putting a spotlight on the lack of disagreement over this particular decision, which is often not the case with cross-border GDPR enforcements (while disputes between EU regulators can often substantially increase the time it takes to enforce the GDPR — hence this final decision has landed relatively quickly).
