Meta Platforms Ireland Ltd., the Irish subsidiary of Facebook owner Meta Platforms Inc., was been fined €265 million ($274 million) today by Ireland’s Data Protection Commission for breaching the European Union General Data Protection Regulation.
The commission launched an investigation in April 2021 following media reports that a collected dataset of Facebook personal data had been made available on the internet. The data was related to Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools that was gathered between May 2018 and September 2019.
The commission considered whether the published data complied with the GDPR obligation of Data Protection by Design and Default, Article 25 of the regulation. Having undertaken a comprehensive inquiry, the commission found that Meta breached Articles 25(1) and 25(2) of the GDPR.
Along with the fine, Meta was also ordered to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
The fine is not the first time Meta and its subsidiaries have been penalized by Ireland’s regulator. Meta was fined $402 million in September after the Data Protection Commission found that Instagram had failed to comply with GDPR regulations, $18.7 million in March in relation to cybersecurity controls, and $267 million in September 2021 for a GDPR breach involving WhatsApp.
“This is a significant penalty at a time when Meta’s stock price has been in significant decline and in the midst of layoffs,” Andrew Barratt, vice president at cybersecurity advisory services company Coalfire Systems Inc., told SiliconANGLE. “It’s yet more bad news showing that the data protection authorities have some significant enforcement powers now.”
Mike Parkin, senior technical engineer at cyber risk management firm Vulcan Cyber Ltd., commented that regulators in Europe, especially European Union member countries, take privacy seriously, much more so than regulators in the U.S. do.
“Given Meta’s history with user data privacy, it seems they got off reasonably light,” he said. “Companies that are used to operating with minimal concern for user data privacy need to understand that we’ve been moving towards stronger protections and user rights for some time, especially in Europe. If they aren’t making good faith efforts to protect that user data, they may face serious financial impacts if threat actors manage to get it.”