Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

Irish regulator fines Meta €265m for GDPR failings

Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Data protection “by design and default” failings in Meta’s software led to the exposure of personal details of 533 million users.

The Irish Data Protection Commission (DPC) has imposed a fine of €265m ($275m) Meta, which is the parent entity and data controller for Facebook and Instagram.

The fine, along with a range of specific corrective measures within a stipulated timeframe, is being imposed as a result of the publication of personal data of approximately 533 million Facebook users on the internet.

A design vulnerability in tools provided by Facebook and utilised to import contacts left the personal data of Facebook’s users exposed to a legal technique called “data scraping”. The technique was utilised to create a collated list of the personal data of users, which itself was then made available publicly.

The DPC inquiry examined the release of personal data itself, as well as Facebook’s compliance with its GDPR obligations regarding data protection “by design and by default”, and found that Meta had infringed GDPR Articles 25(1) and 25(2).

It is possible that Meta will choose to challenge this decision and fine. It has recently appealed another significant DPC fine imposed for violations of children’s privacy on Instagram. The size of the fines, against the backdrop of declining Meta revenue, makes it more likely that Meta will not concede until it has exhausted all of its legal options in both cases.

, , , ,

You may also like