DPC Fines Meta €265 Million for ‘data scraping’ leak
November 2022On 29th November 2022, the Data Protection Commission (‘DPC’) imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (‘Meta’), data controller of the “Facebook” social media network, for failing to properly protect its data.
The fine relates to a data breach discovered in 2021 whereby personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the personal data of 533 million users across 106 countries including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.
The DPC held Meta failed to comply with the GDPR obligation to ensure privacy "by design and default," meaning it had engineered its products in a way that personal data could leak.
The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for failing to protect children’s data.
For further details on the DPC’s decision, please go to the following link:
Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry28/11/2022 - Data Protection Commission