Meta Fined by Irish Privacy Regulator for GDPR ViolationsFine Tied to Data Scraping Incident Revealed in 2021
The Irish data privacy watchdog levied a 265 million euro fine against Facebook parent company Meta after a data set containing details of more than half a billion social media users appeared online last year.
The Irish Data Protection Commission initiated an investigation shortly after Facebook acknowledged the data came from its site. Bad actors, it said, had scraped the data, exploiting a technique the social media giant remedied in 2019.
The exposed data of 533 million users included names, phone numbers and birthdates from consumers in 106 countries who used the platform between 2018 and 2019.
The Irish investigation, which assessed the internal workings of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer, revealed Meta had violated the "data protection by design and default" requirement mandated by the General Data Protection Regulation.
In addition to the fine, the Irish regulator directed Facebook to ensure against a repeat occurrence. Facebook, like many U.S. tech companies, houses its international headquarters in Dublin, giving the Irish privacy watchdog outsized oversight influence over Silicon Valley.
In an emailed statement, a Meta spokesperson said the company "cooperated fully" with Irish authorities. "We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge," the spokesperson said.*
In response to the published data set, a Facebook executive in 2021 wrote that the social media giant strives to make scraping harder by imposing rate and data limits for interacting with its products. Product Management Director Mike Clark said the company also looks for "patterns in activity and behavior that are typically associated with automated computer activity."
Monday's fine is the third levied by the Irish agency on Facebook for GDPR violations. The regulator imposed a 405 million euro fine against the company for violating children's privacy related to its Instagram platform in September. In March, Meta was slapped with a fine of 17 million euros for failing to take appropriate technical measures relating to a series of data breaches in 2018.
*Updated Nov. 29, 2022, 18:57 UTC: Adds comment from Meta spokesperson.