RegSol Blog

DPC Fines Meta €265 Million for ‘data scraping’ leak

November 2022

On 29th November 2022, the Data Protection Commission (‘DPC’) imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (‘Meta’), data controller of the “Facebook” social media network, for failing to properly protect its data.

The fine relates to a data breach discovered in 2021 whereby personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the personal data of 533 million users across 106 countries including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.

The DPC held Meta failed to comply with the GDPR obligation to ensure privacy "by design and default," meaning it had engineered its products in a way that personal data could leak.

The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for failing to protect children’s data.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry
28/11/2022 - Data Protection Commission