A top European regulator has fined Facebook owner Meta €265 million ($277 million) for failing to protect more than half a billion users’ information from so-called data scrapers.
The Irish Data Protection Commission, Meta’s main privacy watchdog in the European Union, levied the fine following disclosure of an investigation in the spring of 2021 that revealed over 530 million Facebook users’ information had been leaked on a public forum.
The fine issued Monday is the fourth time that Ireland has penalized Meta and its subsidiaries, including Instagram and WhatsApp, over the past 15 months, highlighting the EU’s increasingly tightening privacy regulations against large technology companies.
The other cases include Instagram mishandling children’s data, Meta’s data breach affecting 30 million Facebook users, and Whatsapp data failing to comply with transparency obligations. The social media giant is appealing those charges.
A Meta spokesperson told SC Media in an email that the company is carefully reviewing Monday’s decision and has not decided whether to appeal.
“Protecting the privacy and security of people’s data is fundamental to how our businesses work. That is why we have cooperated fully with the Irish Data Protection Commission on this important issue,” the spokesperson wrote. “Unauthorized data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge.”
In response to the data leak uncovered in April 2021, Meta admitted that hackers had scraped data using legitimate tools, including Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer, which the company halted in 2019.
The Meta spokesperson also reiterated that the company has removed the ability to use phone numbers to scrape data.
According to Ireland’s Data Protection Commission, Meta has not taken sufficient technical and organizational measures to protect users’ data, violating the General Data Protection Regulation obligation for Data Protection by Design and Default. SC Media has reached out to the regulator, asking for their view on how Meta can better comply with the rule.
The EU has continued tightening regulation of tech giants over the past year, with those companies now communicating with the European Commission to specify the application of each new law. It’s a reality that many U.S.-based tech companies must deal with as the regulatory gap between Europe and the United States continues to grow, and EU regulators have showed a greater willingness to hit violators in their pocketbook with fines and other financial penalties.
Not everyone is a fan of that approach.
“The goal of privacy regulators should be compliance and increasing privacy and security rather than rushing to fine and take enforcement action,” Brandon Pugh, senior fellow and policy counsel at R Street Institute, said.
But the massive amounts of personal user data held by social media companies like Meta, their inability to properly secure it and a steady string of breaches and leaks have made such fines and enforcement penalties more common, both in the United States and Europe.
Chris Gray, AVP of security strategy at Deepwatch, said that these new standards can be either “significant” or “very troublesome.”
“These newer versions [of privacy law] are becoming less forgiving about partner nations that do not align fully with local expectations. While we cannot assume that these will be automatically revoked and made unusable, we do need to believe that adjustments will need to be made,” Gray told SC Media.
