Irish regulator fines Meta €265m for GDPR failings

Data protection “by design and default” failings in Meta’s software led to the exposure of personal details of 533 million users.

The Irish Data Protection Commission (DPC) has imposed a fine of €265m ($275m) Meta, which is the parent entity and data controller for Facebook and Instagram.

The fine, along with a range of specific corrective measures within a stipulated timeframe, is being imposed as a result of the publication of personal data of approximately 533 million Facebook users on the internet.

A design vulnerability in tools provided by Facebook and utilised to import contacts left the personal data of Facebook’s users exposed to a legal technique called “data scraping”. The technique was utilised to create a collated list of the personal data of users, which itself was then made available publicly.

The DPC inquiry examined the release of personal data itself, as well as Facebook’s compliance with its GDPR obligations regarding data protection “by design and by default”, and found that Meta had infringed GDPR Articles 25(1) and 25(2).

It is possible that Meta will choose to challenge this decision and fine. It has recently appealed another significant DPC fine imposed for violations of children’s privacy on Instagram. The size of the fines, against the backdrop of declining Meta revenue, makes it more likely that Meta will not concede until it has exhausted all of its legal options in both cases.