The Data Protection Commission (DPC) has imposed a fine of €265 million and a range of corrective measures on Meta Platforms Ireland Limited (MPIL) – data controller for Facebook.
The DPC began an inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data, available on the internet.
The scope of the inquiry concerned the period between 25 May 2018 and September 2019, and assessed Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools.
Questions of compliance
The material issues concerned questions of compliance with the GDPR obligation for data protection by design and default.
The DPC examined the implementation of technical and organizational measures pursuant to article 25 of the GDPR, which deals with this concept.
The inquiry process included cooperation with other EU data protection supervisory authorities, which have all agreed with the decision of the DPC.
The decision, which was adopted on Friday 25 November, records findings of infringement of articles 25(1) and 25(2) GDPR.
Reprimand
The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
The decision has imposed administrative fines totaling €265 million on MPIL.
A Meta spokesman said: "Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.
"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Cost of doing business
Lawyer David Hackett (head of data protection in Addleshaw Goddard's Ireland office), said there is increased willingness by the Data Protection Commission to impose very significant fines for breaches of the law.
As well as the fine, Meta must take remedial actions to its data processing activities within a set timeframe. It remains to be seen how the company will deal with those requirements, he added.
"By any measure, these are significant fines. GDPR envisaged the imposition of such fines in part to serve as a deterrent to other companies which might consider breaching the law.
"We are likely to see increased debate about whether such fines actually influence corporate behaviour or if some companies simply see them as an added cost of doing business," he said.