The draft decision on the Meta investigation has been sent to other EU data authorities, which have one month to review and raise any objections.
Ireland’s Data Protection Commission (DPC) has submitted a draft decision on a large-scale investigation into Facebook parent company Meta.
In a statement on 14 April 2021, the DPC said it believed that “one or more provisions” of GDPR and the 2018 Data Protection Act could have been infringed in relation to Facebook users’ personal data.
The investigation was launched to determine whether the social media giant complied with its personal data obligations by means of the Facebook search, Facebook Messenger contact importer and Instagram contact importer features.
DPC deputy commissioner Graham Doyle said the draft decision from this probe was submitted to other European data watchdogs on 30 September.
“This is part of the process under Article 60 of the GDPR, where the DPC sends draft decisions to other concerned supervisory authorities and they have one month to review its draft decision and raise any ‘relevant and reasoned objections’ that they may have,” Doyle said.
This must be done before the DPC can issue a final decision, which may include a fine for Meta if the company is found to have breached GDPR.
At the time of the leak, Facebook said the data came from a large-scale scraping incident that took place before the introduction of GDPR, and so it was not required to notify the DPC.
Meanwhile, Meta has lodged a High Court appeal against the €405m fine the DPC issued to Instagram last month.
This is the highest fine ever imposed by the DPC and relates to breaches made in the processing of children’s data.
The Irish data watchdog said its investigation concerned the processing of personal data related to minors and their privacy, with children’s email addresses and phone numbers being made public in some cases.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.