Tech giant Meta has been fined 265 million euro by Ireland’s data protection watchdog for breaching EU data privacy laws.
The Data Protection Commission (DPC) issued the sanction against the Facebook parent company for failing to protect millions of Facebook users’ personal data, such as telephone numbers and email addresses, from being “scraped” and published on the internet.
In a statement on Monday the DPC said Meta had been fined for “infringement” of sections of the EU’s GDPR rules that cover technical and organisational measures aimed at protecting user data.
It brings the total fines issued against by Meta in the past 18 months to more than 900 million euro.
The latest investigation by the DPC into Meta began in April last year “on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet”.
The data, which was found on a website for hackers, included names, phone numbers, locations, birthdates and email addresses of Facebook users.
Meta said the data had been “scraped” from Facebook.
In a statement Meta said: “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.
“Unauthorised data scraping is unacceptable and against our rules.”
The DPC said: “The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (MPIL) during the period between 25 May 2018 and September 2019.
“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.
“The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept).”
The DPC said after a “comprehensive inquiry process” that it had “recorded findings of infringement of Articles 25(1) and 25(2) GDPR”.
It ordered Meta to take remedial action to ensure “scraping” does not happen again.
“The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe,” a statement from DPC said.
“In addition, the decision has imposed administrative fines totalling 265 million euro on MPIL.”
The fine was agreed with other EU data regulators.
There have been increasing calls to better resource Ireland’s DPC, which is the de facto lead EU watchdog of data protection and privacy rules due to a large number of tech multinationals – including Facebook, Apple and Google – basing their European headquarters in Dublin.
In July, the Irish Government announced that two additional data protection commissioners would be hired, and that the current commissioner, Helen Dixon, would be promoted to chairwoman of the DPC.
It said that this was being done in response to “the increased working burden and investigative complexity has been regularly highlighted”.
The Irish watchdog issued a 405 million euro fine to Meta-owned Instagram in September over the way in which it handled teenagers’ personal data, making it the largest fine the authority has ever issued.
Instagram said it would appeal against the decision.
In March the regulator also issued a fine of 17 million euro against Facebook for breaching EU privacy laws.
Last year Meta-owned messaging service WhatsApp was hit with a fine of 225 million euro by the DPC for breaching European Union laws on transparency, and the sharing of user information with other companies owned by Facebook.