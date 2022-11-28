Meta has been fined €265m by Ireland’s Data Protection Commissioner for not preventing millions of Facebook users’ phone numbers, emails and other personal data being ‘scraped’ and published onto the wider internet.

The latest fine means that Ireland’s pan-European regulator has now levied almost €1bn in fines from Meta in the last 18 months.

The new sanction was for systemic failures which resulted in the publication of personal data, including mobile phone numbers, of gardai, sitting judges, prison officers, social workers, journalists and others. It coincided with a spike in scam calls and texts in Ireland and across Europe.

Around 1.3m Irish Facebook accounts were affected, with hundreds of millions worldwide also impacted.

At the time, Facebook blamed the breach on “bad actors” who had “scraped” Facebook’s website for the personal details.

But in its ruling, Ireland’s DPC said that it was Facebook that hadn’t designed its systems well enough to stop such ‘scraping’ happening.

The fine was agreed with other European data regulators. It is the second major fine on Facebook imposed by the Irish watchdog, and the fourth large fine on Meta from Commissioner Helen Dixon’s office in the last 18 months.

Last year, it sanctioned Meta-owned WhatsApp €225m for inadequately explaining how it processed personal data. WhatsApp has appealed the decision. In March, Facebook attracted a €17m fine from the DPC for organisational inadequacies, while in September, the agency hit Instagram with a record €405m for not protecting the privacy of children’s accounts.

It means that Ireland’s regulator has now imposed fines of €912m on Meta in the last 12 months. Fines collected in Ireland go to the Irish public exchequer.

In a statement, Meta declined to say whether it would appeal the verdict.

“We are reviewing this decision carefully,” said a spokesperson. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We have cooperated fully with the Irish Data Protection Commission on this important issue.”

Throughout the case, Meta has taken issue with the incident being described as a “data breach”, a “leak” or a “hack”. Despite admitting that it changed its systems after the issue was raised, it has characterised data-scraping as an internet-wide problem that can never be fully countered.

However, the Irish regulator’s finding of a serious lack of protection for users may render Meta’s technical terminology preferences moot.

Facebook, the DPC found, had failed GDPR provisions obliging the company to “implement appropriate technical and organisational measures”. It also found that Facebook failed GDPR rules that require it to implement “appropriate technical and organisational measures” which “ensure that, by default, personal data are not made accessible without the individual’s intervention”.

The DPC said that GDPR rules were clear.

“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for data protection by design and default,” the regulator said in a statement. “The DPC examined the implementation of technical and organisational measures pursuant to Article 25 [of] GDPR.”

It said that investigation, which relates to systemic failures at Facebook between 2018 and 2019, was kicked off last year.

“The DPC commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet,” the DPC statement said.

“The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited during the period between 25 May 2018 and September 2019.”

The “comprehensive inquiry process”, the statement said, included cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC, it said.