Data Protection Commission hits Meta with record €265m fine
Facebook parent company Meta Platforms Ireland has been hit with a fine of €265 million and compelled to introduce a range of corrective measures by the Data Protection Commission.
The breach, originally reported by Business Insider, saw the collecting of the phone numbers, Facebook IDs, names, locations, birthdates, and, in some cases, e-mail addresses of 533 million users in 106 countries. The data was posted to a hacker forum.
The DPC’s commenced its investigation on 14 April 2021, following an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta during the period between 25 May 2018 and September 2019 – when Facebook reported that it had patched the vulnerability.
The decision, which was adopted on Friday, 25 November 2022, imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe on top of the fine – the biggest in Ireland to date. The previous biggest fine was incurred by the Meta-owned WhatsApp, which was charged €255 million for failing to clearly explain its data processing practices in its privacy notice.
This fine brings the total fines from the Irish DPC against Meta to €910 million. Previously, other European Regulators had objected to certain fines proposed by the DPC on the basis that they were too low – no objections were raised to this decision.
David Hackett, head of data protection at law firm Addleshaw Goddard Ireland, said: “We are seeing increased willingness by the Irish Data Protection Commission to impose very significant fines for breaches of the law. As well as the fine, Meta is required to take certain remedial actions to its data processing activities within a set timeframe, and it remains to be seen how the company will deal with those requirements.
“By any measure, these are significant fines. GDPR envisaged the imposition of such fines in part to serve as a deterrent to other companies which might consider breaching the law. We are likely to see increased debate about whether such fines actually influence corporate behaviour or if some companies simply see them as an added cost of doing business.”
Sarah Coop, analyst at analytics and consulting company GlobalData, said: “Meta is on a losing streak. Privacy breaches damage consumer trust, which is already dwindling for Meta. Its central social media platform, Facebook, is struggling to attract younger users due to strong competition from other platforms like TikTok. The company has also reportedly lost $9.4 billion on its metaverse business unit and has recently restructured, laying off 11,000 employees.
“GDPR fines are simply collateral damage for Big Tech. While fines can be large, at up to 4% of global turnover, most Big Tech consider it the cost of doing business. However, consumer confidence will be important for the metaverse, and cybersecurity breaches and data privacy fines further taint Meta’s already tarnished reputation.”