Ireland’s privacy authority Monday imposed a €265 million fine and other corrective measures on US tech giant Meta-owned Facebook and Instagram over their data scraping practices.
The Irish Data Protection Commissioner’s inquiry spurs from a massive data breach discovered in April 2021 when Facebook personal data of 533 million people in 106 countries – including sensitive information such as birthdates, phone numbers, and email addresses- ended up dispersed online in a hacker forum and circulating widely on the web.
Around 86 million people were affected in the EU, including EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel, and dozens of EU officials.
Although Instagram was not directly involved in the leaks, the investigation focused, in particular, on tools intended to help users to find friends on Facebook and Instagram based on their phone numbers such as Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer.
At the time, Facebook justified the leak resulting from a mass data scraping by blaming it on a vulnerability that the company had patched in August 2019, arguing that the leaked data was old.
The Irish watchdog announced a probe into the matter a few days after the leak, announcing it’ll examine if Facebook’s data harvesting practices comply by design and default with the General Data Protection Regulation’s (GDPR) principle of data protection.
GDPR is the EU’s privacy rulebook, and the Irish data protection authority is tasked with enforcing it in most Big Tech companies since their European headquarters are in Ireland.
The Irish Data Protection Commission concluded in its decision adopted last Friday that the US tech giant violated the European privacy rules between 25 May 2018 and September 2019 and failed to comply with GDPR by engineering its products in a way that personal data could leak.
On top of the administrative fine of €265 million, it imposed a reprimand and ordered Meta to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.