The Data Protection Commissioner (‘DPC’) imposed a fine of €265 million on Meta, the parent company of Facebook, Instagram and WhatsApp this week for a data leak discovered last year.
The fine issued on Monday stems from an investigation by the office of the DPC into reports that Facebook had not properly safeguarded its platform against being ‘scraped’, which led to a collection of personal information including phone numbers, Facebook IDs, locations, birthdates and email addresses of 533 users in 106 countries being collated and made available online.
The Data Protection Commissioner wrote: “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,”. The obligation for Data Protection by Design and Default, is enshrined in Article 25 of the General Data Protection Regulations.
Data protection by design and default ensures that Data controllers tailor their data protection to the scale of the organisation, rejecting a one size fits all approach to data protection. Additionally, organisations are to ensure the privacy of data subjects is protected by collecting only as much data as is necessary, using it only for the purpose for which it was collected and keeping it only as long as it is required.
This significant penalty follows a €405 million fine in September for a violation of children’s privacy on Instagram, a €17 million fine in March for a string of historical data breaches and a €225 million fine for data breaches on Meta-owned WhatsApp. Meta said in a statement that “unauthorised data scraping is unacceptable and against our rules” and the company has since changed its policies to prevent such practices. Meta did not say whether it would appeal the decision, as it has for the previous penalties.
The fine is the third highest fine administered by any EU authority under GDPR to date. Third only to the September fine and to a fine of €746 million levied on Amazon by the DPA of Luxembourg in July of last year.
GDPR: The right to compensation for ‘non material damages’
About the author: Ciarán Leavy, Partner and Head of Commercial Litigation.