Meta has been fined for violating European data protection law.
The 265 million fine was announced by the Irish Data Protection Commission.
The DPC confirmed that the decision, which was adopted on Friday, records findings of data protection by design and default in the European Union's General Data Protection Regulation.
The decision imposed a reprimand and an order requiring MPIL to take a range of specified corrective actions within a certain period of time.
The inquiry was opened by the DPC after media reports of more than 530M Facebook users personal data being exposed online.
At the time, Facebook claimed that it had fixed the problem that led to the personal data being exposed, and that the data that had been found floating around online was old data.
The company followed that by saying it believed the data had been stolen from Facebook profiles by malicious actors using a contact importer feature it offered up to September 2019, before tweaking it to prevent data abuse by blocking the ability to upload a large set of phone numbers.
The DPC wrote that the scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer andInstagram Contact Importer tools.
Questions of compliance with the obligation for Data Protection by Design and Default were the subject of the inquiry.
All of the other data protection authorities within the EU cooperated with the comprehensive inquiry. The regulators agreed with the decision of the DPC and put a spotlight on the lack of disagreement over it.
The DPC has applied corrective measures to Meta in order to bring its processing into compliance with the EU's General Data Protection Regulation.
To the extent that MPIL is engaged in ongoing processing of personal data which includes a default searchability setting of 'Everyone', this order requires...
Messenger Contact Importer, Messenger Contact Importer, and Messenger Search are some of the relevant features.
The person contacted Meta. The tech giant did not say whether or not it will appeal the decision.
This is Meta's statement.
“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
The company has put in place a number of measures to combat data scrapers, including applying rate limits and using technical tools to combat suspicious activity, as well as providing users with controls to limit the public visibility of their information.
Meta has had its share of penalties, and it may not be the last.
The company was fined over a year ago for transparency violations. The company was fined $18.6 million over a string of historical Facebook data breeches.
Meta claims to be able to process people's data which dates back to 4.5 years, but the DPC is looking into the legality of that claim.
Ireland’s draft GDPR decision against Facebook branded a joke
WhatsApp faces $267M fine for breaching Europe’s GDPR