Meta hit with ~$275M GDPR penalty for Facebook data-scraping breach

Facebook’s parent, Meta, has been hit with another hefty penalty for breaching European data protection law.

The €265 million (~$275M) fine was announced today by the Irish Data Protection Commission (DPC), the tech giant’s lead regulator for the European Union’s General Data Protection Regulation (GDPR).

The DPC confirmed that the decision, which was adopted on Friday, records findings of infringement of Articles 25(1) and 25(2) GDPR — which are focused on data protection by design and default. 

The DPC said it is also imposing a range of corrective measures, writing: “The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”

The penalty relates to an inquiry which was opened by the DPC on April 14, 2021, following media reports of more than 530M Facebook users’ personal data — including email addresses and mobile phone numbers — being exposed online.

At the time, Facebook tried to play down the breach — claiming the data that had been found floating around online was “old data” and that it had fixed the issue that led to the personal data being exposed.

The company followed that by saying it believed the data had been scraped from Facebook profiles by “malicious actors” using a contact importer feature it offered up to September 2019, before it tweaked it to prevent data abuse by blocking the ability to upload a large set of phone numbers to find ones that matched Facebook profiles.

The DPC confirmed its inquiry looked at a variety of contact search and importer tools the company offers on its platforms between the date the GDPR came into application and the date of changes to the contact importer tool Facebook made in fall 2019.

“The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019,” the DPC wrote.

“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” it added, specifying that it had examined the implementation of “technical and organisational” measures relevant to Article 25 GDPR (which deals with data protection by design and default).

“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC,” the regulator also said — putting a spotlight on the lack of disagreement over this particular decision, which is often not the case with cross-border GDPR enforcements (while disputes between EU regulators can often substantially increase the time it takes to enforce the GDPR — hence this final decision has landed relatively quickly).

DPC deputy commissioner, Graham Doyle, told TechCrunch that the corrective measures it has applied to Meta as part of this decision are “an order pursuant to Article 58(2)(d) GDPR… to bring its processing into compliance with the GDPR in the manner specified in this Decision” — with the company getting a deadline of three months from the date of the final decision to comply with that.

“Specifically, to the extent that MPIL is engaged in ongoing processing of personal data which includes a default searchability setting of ‘Everyone’, this order requires… MPIL to implement appropriate technical and organisational measures regarding the Relevant Features in respect of any ongoing processing of personal data, for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, and that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons,” he added, emphasizing: “This order is made to ensure compliance with Article 25(2) GDPR.”

“Relevant Features” in this context are Facebook Contact Importer; Messenger Contact Importer; Instagram Contact Importer; and Messenger Search; and its variant Messenger Contact Creator features.

Meta was contacted for a response. A spokesman did not confirm whether or not it will seek to appeal — but the tech giant said it is “reviewing” the decision “carefully”.

Here’s Meta’s statement:

“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”

The company added that it has put in place a range of measures to combat data scraping since this breach — including applying rate limits and deploying technical tools to combat suspicious automated activity, as well as providing users with controls to limit the public visibility of their information.

The GDPR penalty is not the first for Meta — and it may not be its last.

Just over a year ago, Meta-owned WhatsApp was fined €225M (~$267M) for transparency breaches. While, back in March, the company was also fined around $18.6M over a string of historical Facebook data breaches.

The DPC also has a number of ongoing enquiries into other aspects of Meta’s business — not least a major probe of the legal basis Meta claims to be able to process people’s data which dates back around 4.5 years.

You may also like...