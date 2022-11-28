Facebook’s parent company Meta has been hit with another heavy penalty for breaching EU data protection law.

The €265 million (~$275 million) fine was announced today by the Irish Data Protection Commission (DPC), the tech giant’s lead regulator for the General Data Protection Regulation. data (GDPR) of the European Union.

The DPC confirmed that the decision, which was adopted on Friday, records findings of breaches of Articles 25(1) and 25(2) of the GDPR, which focus on data protection by design and by default.

The DPC said it was also imposing a series of corrective measures, writing: “The decision imposed a reprimand and an order compelling MPIL [Meta Platforms Ireland Limited] bring its processing into compliance by taking a series of specified corrective actions within a given time frame.

The sanction concerns an investigation that was opened by the DPC on April 14, 2021, following media reports that the personal data of more than 530 million Facebook users – including email addresses and cell phone numbers – have been exposed online.

At the time, Facebook tried to play down the breach – saying the data that had been found online was “old data” and that it had fixed the problem that led to the personal data being exposed.

The company went on to say it believed the data had been extracted from Facebook profiles by “malicious actors” using a contact import feature it offered until September 2019, before change it to prevent data abuse by blocking the ability to download a large set. phone numbers to find those that match Facebook profiles.

The DPC confirmed that its investigation covered a variety of contact and importer tracing tools that the company offers on its platforms between the date GDPR came into force and the date of changes to the tracing tool. importing Facebook contacts in fall 2019.

“The scope of the inquiry related to a review and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to the processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between 25 May 2018 and September 2019.”, wrote the DPC.

“The material issues of this investigation concerned questions of compliance with the GDPR for Data Protection by Design and Default obligation”, he added, specifying that he had examined the implementation of “technical and organizational” measures. falling under Article 25 GDPR (which deals with data protection by design and by default).

“There has been a full investigation process, including cooperation with all other data protection supervisory authorities within the EU. These supervisory authorities have accepted the decision of the DPC,” also said the regulator – highlighting the absence of disagreement over that particular decision, which is often not the case with cross-border GDPR applications (whereas disputes between EU regulators can often significantly increase the time that it takes to enforce the GDPR – hence this final decision landed relatively quickly).

DPC Deputy Commissioner Graham Doyle told TechCrunch that the remedies he applied to Meta as part of this ruling are “an order under Section 58(2)(d) of the GDPR… to bring its processing into compliance with the GDPR in the manner specified in this decision” — the company having three months from the date of the final decision to comply.

“Specifically, to the extent that MPIL is engaged in ongoing processing of personal data that includes a default search parameter of ‘Everyone’, this order requires…MPIL to implement appropriate technical and organizational measures regarding the relevant Characteristics with respect to any ongoing processing of personal data, to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed, and that by default personal data are not made accessible without the intervention of the person to an indefinite number of natural persons”, he added, emphasizing: “This order is made to ensure compliance with Article 25, paragraph 2, GDPR.”

“Relevant features” in this context are the Facebook Contacts Importer; Messenger contact importer; Instagram contact importer; and Messenger Search; and its variants Messenger Contact Creator.

Meta has been contacted for a response. A spokesperson would not confirm whether or not it would seek to appeal – but the tech giant said it was “reviewing” the decision “carefully”.

Here is the statement from Meta:

“Protecting the privacy and security of people’s data is fundamental to the operation of our business. We have therefore cooperated fully with the Irish Data Protection Commission on this important matter. We made changes to our systems during the time in question, including removing the ability to remove our functionality in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue to work with our peers on this industry challenge. We are carefully reviewing this decision.

The company added that it had implemented a series of measures to combat data scraping since this breach, including the application of rate limits and the deployment of technical tools to combat suspicious automated activity, as well as as providing users with controls to limit the public visibility of their information. .

The GDPR sanction is not the first for Meta – and it may not be the last.

Just over a year ago, WhatsApp, owned by Meta, was fined 225 million euros (~$267 million) for violating transparency. In March, the company was also fined about $18.6 million for a series of historic Facebook data breaches.

The DPC also has a number of ongoing inquiries into other aspects of Meta’s business – including a major inquiry into the legal basis that Meta claims to be able to process people’s data which dates back around 4.5 years. .