Meta fined €265m by Irish watchdog for Facebook data breach

28 Nov 2022

Image: © Tada Images/

The Irish data watchdog has now hit Meta with nearly €1bn in fines over privacy breaches.

Ireland’s data watchdog has imposed a €265m fine on Meta following a data breach that affected millions of Facebook users.

In April 2021, the Data Protection Commission (DPC) commenced an inquiry into Meta after a database of information on 533m Facebook users emerged on a hacking forum. This scraped data included phone numbers, Facebook IDs, names, locations, birthdates and email addresses.

At the time, the DPC said it believed that “one or more provisions” of GDPR and the 2018 Data Protection Act could have been infringed in relation to Facebook users’ personal data.

A probe was launched to determine whether the social media giant complied with its obligations for processing personal user data by means of the Facebook search, Facebook Messenger contact importer and Instagram contact importer features.

“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for data protection by design and default,” the DPC said in a statement today (28 November).

It found that the company violated the articles of GDPR that require the implementation of appropriate technical and organisational measures to protect data, and “ensure that, by default, personal data are not made accessible without the individual’s intervention”.

A draft decision in this probe was sent by the DPC to other EU data authorities last month. The Irish watchdog said today that other supervisory authorities agreed with its decision.

As well as the €265m fine, the DPC has imposed an order requiring Meta to bring its processing into compliance by taking “a range of specified remedial actions within a particular timeframe”.

At the time of the leak, Facebook said the data came from a large-scale scraping incident that took place before the introduction of GDPR, and so it was not required to notify the DPC.

Today, a Meta spokesperson said that the company has “cooperated fully” with the Irish DPC on this issue.

“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the spokesperson said.

“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”

While significant, this is not Meta’s biggest fine from the DPC. The social media giant was recently fined €405m by the data watchdog for breaching GDPR related to children’s privacy on Instagram, including the publication of kids’ email addresses and phone numbers in some cases.

Together with a €225m fine for WhatsApp GDPR breaches in 2021, the Irish data watchdog has hit Meta with nearly €1bn in penalties over the past year and a half.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic