Ireland data regulator fines Meta $275M over leak of Facebook user data

The Data Protection Commission (DPC), Ireland’s data regulator, Monday fined Meta $275 million (€265 million) for violating Europe’s data privacy law. The regulators claimed that Meta, Facebook’s parent company, failed to prevent hackers from siphoning off personal information from more than 500 million Facebook users in a 2019 data leak.

The DPC announced its conclusion following an inquiry into Meta Platforms Ireland Limited, data controller of the Facebook social media network. DPC ultimately imposed a fine and a range of corrective measures.

The inquiry began in April 2021 and examined media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools, in relation to processing carried out by Meta between 25 May 2018 and September 2019.

The DPC was concerned with compliance issues relating to the EU General Data Protection Regulations (GDPR). The decision recorded findings of infringement of Articles 25(1) and 25(2) GDPR. These articles relate to the idea of “Data Protection by Design and Default” and promote the concepts of pseudonymisation, data-minimisation, and safeguards when dealing with personal data. Article 25(2) specifically states:

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

The decision also imposed a reprimand and an order requiring Meta to bring its processing into compliance with EU law.