Facebook parent company Meta has been fined €265 million by the Irish Data Protection Commission (DPC) following a data breach which saw the personal details of hundreds of millions of Facebook users published online.In April 2021, the DPC launched an investigation after data including names, phone numbers and email addresses of up to 533 million users appeared on an online hacking forum.

Facebook said at the time that the information, some of which had already appeared online a number of years ago, was “scraped”, but not hacked, by malicious actors through a vulnerability in its tools prior to September 2019.

“Scraping” uses automated software to lift public information from the internet that can then end up being distributed in online forums.

The social network said it patched the vulnerability in 2019, preventing any further data from being harvested.

As part of its investigation, the Data Protection Commission carried out an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta during the period between 25 May 2018 and September 2019.

The material issues in the inquiry concerned questions of compliance with the General Data Protection Regulation (GDPR) obligation for Data Protection by Design and Default.

Meta was found to be in breach of Article 25 of the GDPR rules.

“Because this data set was so large, because there had been previous instances of scraping on the platform where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” said Helen Dixon, Data Protection Commissioner.

“The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total,” Ms Dixon said.

As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

A Meta spokesperson said the company was reviewing the decision carefully.

“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” Meta said.

“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge,” the spokesperson added.

In September, Meta lodged an appeal in the High Court against a record fine of €405m imposed on Instagram by the DPC.

It was the largest fine ever handed down by the Irish data watchdog and was issued for breaches relating to the processing of children’s data.

Speaking on RTÉ’s News at One programme, the Data Protection Commissioner said the large fine imposed on Meta is intended to have a deterrent effect.

Helen Dixon said when products and services are being designed by companies, particularly where personal data is a large part of what is being transacted with, then the products must be designed to adequately protect a person’s data.

The fine sounds very large to an Irish audience, she said, but it must be remembered that GDPR was introduced specifically to give effect to a fundamental right in the EU – to have one’s personal data protected.

Ms Dixon added that the Commission is regulating on behalf of all EU users.

She explained that the EU provided for fines of up to four percent of the worldwide turnover of companies like Meta. Alongside the fines, a range of corrective measures have also been imposed, she added.

“We’ve forced significant changes to privacy policies. We will force a change to the default settings in relation to searchability. We will keep going until the behaviour does change,” she said.

Ms Dixon said that her office was required to submit a draft of the decision to other EU data protection authorities and no objections to the drafts were raised.

DPC concerned about Twitter staff departures

Meanwhile, the Data Protection Commissioner said today that her office was concerned about recent staff departures from Twitter.

Regulators in Europe and the US have expressed fears that resignations and lay-offs could impact on the company’s ability to meet its regulatory obligations.

“We are concerned and we are keeping in close contact with Twitter, we have a number of open inquiries with Twitter,” Ms Dixon said.

“So far, we are getting answers from Twitter, there is an acting Data Protection Officer in place but with each passing day the story is changing and media reports are evolving in terms of who has departed and who is staying so we are going to keep in close contact,” she added.

She said at a basic level, an organisation like Twitter must have a data protection officer in place with a team to support them.’

She told the News at One programme that her office is seeking to establish what is in place for the Irish office.

“Importantly here in Ireland, where Twitter in Ireland is the main establishment for EU purposes under the GDPR, there has to be a board in place that’s making the decisions on personal data processing in respect of EU users.”

Ms Dixon said her office is in “multiple daily contact” with the Irish office.

So far, we are getting answers to our questions, she said, but concerns do remain.

“It’s a fast-evolving situation. We are keeping track.

“I think where we arrive at the point that we can’t get answers, or we have no points of contact – then we will be in very serious difficulty,” she said.

Complaints to DPC in 2022

In general, the Data Protection Commissioner said that there have been slightly less complaints received so far this year, compared to last year.

Ms Dixon said the final statistics will be compiled next month but she expects that the number of complaints received could be between 9% and 10% lower than in 2021.

She explained that in other years very specific issues arose – such as Covid and the mother and baby homes.

“We may now be seeing a levelling out as we get back to more normal times,” she said.