On Monday, Irish regulators imposed a €265 million ($277 million) fine on Meta for an alleged privacy violation impacting more than 500 million users on the big blue Facebook app. The fine, which involves third-party data scraping previously occurring on the platform, marks the third fine from the organization in less than two years.
The most recent penalty stems from an April 2021 data breach where a hacker reportedly published a trove of scraped personal data from users on an online forum which included phone numbers, Facebook ID’s and birthdays. That leaked trove, according to Politico, reportedly included personal data from EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister, and other EU officials. At the time, Meta spokespeople (then just called Facebook) attempted to play off the breach, claiming they were made aware of the issue back in 2019 and that information in question consisted mostly of, “old data.”
Those obfuscations didn’t sit well with regulators at Ireland’s Data Protection Commission. In a blog post, the regulator says Meta failed to comply with the General Data Protection Regulation’s obligation to provide privacy by default and design. Aside from the fine, the regulators also issued a corrective measure intended to bring Meta’s processing into compliance, “by taking a range of specified remedial actions.” It’s unclear exactly what those actions entail. The penalties conclude a more than 18 month probe investigating the company’s data security practices.
Ireland, which remained in the EU after Britain officially left in 2020, plays a crucial role in GDPR enforcement efforts since it’s the epicenter for several tech headquarters in the continent. Meta, Google, and Twitter all have headquarters in Ireland, which means Ireland’s Data Protection Commission is in charge of enforcing their GDPR compliance.
In an email to Gizmodo, a Meta spokesperson didn’t refute the regulators’ specific charges and said it had “cooperated fully” with the investigation.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the spokesperson said. “Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”
The spokesperson would not say whether Meta would appeal the fine, saying only that it was, “reviewing this decision carefully.”
The new fines come just two months after Irish regulators hit Meta with a separate $403 million fine (the second largest issued under GDPR rules) for allegedly failing to properly protect children’s privacy on Instagram. Not long before that, Irish regulators fined the company around $266 million over alleged WhatsApp privacy breaches and transparency issues. Meta called those fines—which originally hovered around $52 million—”entirely disproportionate.”
Whether or not Meta will actually end up paying any of these penalties, at least in their current forms, remains unclear. Large tech companies like Meta regularly find themselves on the receiving end of numerous lawsuits and fines from regulators across the globe, some more serious than others. Only a fraction of those ever end up in payouts or settlements. Still, Irish regulators have shown a strong willingness to follow GDPR rules to the letter of the law, a tendency likely to please frustrated privacy advocates who’ve criticized European countries for failing to properly use the data protections laws at their disposal.