Meta has been fined €265m by Ireland’s Data Protection Commissioner for failing to prevent phone numbers, emails and other personal information from millions of Facebook users from being ‘scraped’ and published on the internet.
The latest fine means that Ireland’s pan-European regulator has fined Meta nearly €1 billion over the past 18 months.
The new sanction addressed systemic errors that led to the release of personal data, including mobile phone numbers, by Gardai, acting judges, prison officials, social workers, journalists and others. It has coincided with a rise in fraudulent calls and SMS in Ireland and across Europe.
Around 1.3 million Irish Facebook accounts were affected, and hundreds of millions worldwide were also affected.
At the time, Facebook blamed the breach on “evil actors” who “scratched” the Facebook website for the personal information.
But in its ruling, the Irish DPC said it was Facebook that had not designed its systems well enough to prevent such “scraping”.
The fine was agreed with other European data regulators. It is the second major fine against Facebook by the Irish regulator and the fourth major fine against Meta from Commissioner Helen Dixon’s office in the past 18 months.
Last year, it fined WhatsApp €225 million for insufficiently explaining how it processed personal data. WhatsApp has appealed the decision. In March, the DPC fined Facebook €17 million for organizational shortcomings, while in September the agency fined Instagram a record €405 million for failing to protect the privacy of children’s accounts.
That means Irish regulator Meta has fined €912m over the past 12 months. Fines levied in Ireland go to the Irish Treasury.
In a statement, Meta declined to say if she would appeal the verdict.
“We are carefully reviewing this decision,” a spokesman said. “We made changes to our systems at the time in question, including removing the ability to scrape our functions in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue to work with our colleagues on this industry challenge. We have worked extensively with the Irish Data Protection Commission on this important matter.”
Throughout the case, Meta has objected to describing the incident as a “data breach,” “leak,” or “hack.” Although it has admitted that it changed its systems after the issue was raised, it has called data scraping an internet-wide problem that can never be fully addressed.
However, the Irish regulator’s finding that there is a serious lack of protection for users could call into question Meta’s technical terminology preferences.
Facebook, the DPC found, had breached GDPR regulations, which required the company to “take appropriate technical and organizational measures.” It also found that Facebook has breached GDPR rules, which require it to take “appropriate technical and organizational measures” that “ensure that, by default, personal data is not made accessible without individual intervention.”
The DPC said the GDPR rules are clear.
“The key questions in this investigation related to compliance issues with the GDPR privacy obligation by design and by default,” the regulator said in a statement. “The DPC has examined the implementation of technical and organizational measures in accordance with Article 25 [of] GDPR.”
The investigation, which relates to systemic failures at Facebook between 2018 and 2019, was launched last year.
“The DPC initiated this investigation on April 14, 2021, following media reports of the discovery of an aggregated dataset of Facebook Personal Data that had been made available on the internet,” the DPC statement said.
“The scope of the investigation concerned an investigation and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited in the period between 25 May 2018 and September 2019.”
The “comprehensive inquiry process,” the statement said, included cooperation with all other data protection regulators within the EU. Those regulators agreed with the DPC’s decision, it said.
https://www.independent.ie/business/technology/meta-fined-265m-in-facebook-data-scraping-case-that-exposed-millions-of-mobile-phone-numbers-42179037.html Meta fined €265 million in a Facebook data-scraping case that exposed millions of cell phone numbers