Irish DPC Imposes $277 Million Fine on Meta
The Irish Data Protection Commission (DPC) said the decision was the conclusion of a year-long inquiry beginning in April of last year and is supported by every major EU data protection supervisory authority into Facebook’s user data processing woes. The penalty will tip Meta’s total payouts for GDPR violations to just over $1 billion within the last 18 months and is to be the fourth fine in approximately a year. Instated in 2018, the GDPR is unanimously considered the most rigorous data protection and regulation act on the planet. The regulation slapped several organizations with a whirlwind of fines totaling $1.1 billion between January 2021 and 2022 alone — a seven-fold increase from 2020. At the moment, that figure has skyrocketed to an estimated $2 billion.
Data ‘Scraping,’ Violation of ‘Data Protection by Design and Default’
The EU-wide inquiry began after media reports revealed “a collated dataset of Facebook personal data that had been made available on the internet,” the DPC said. The investigation looked at data processing carried out by Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact importer tools between May 25, 2018, and September 2019. In April last year, Facebook blamed hackers for abusing Facebook’s Contact Importer tool to “scrape” the personal details of over 500 million Facebook users and post them on a dark web hacker forum. Crooks could do this by using the same tools that allow users to search for friends by their phone number or contact import features. The data included personally identifiable information (PII) such as Facebook IDs, birth dates, phone numbers, location information, email addresses, and more belonging to judges, journalists, prison officers, and others. Business Insider, which investigated and reported the scraped dark web Facebook user data in April last year, said a Facebook system vulnerability — which Facebook said it patched in August 2019 — led to data theft. However, the DPC and all major EU supervisory boards now point the finger at Facebook and have agreed that the company’s systems were inadequate to stop mass data scraping. Facebook’s response yesterday was that it is carefully reviewing the DPC’s decision and that any unauthorized data scraping is unacceptable and against company policy. Meta has said that it is in total cooperation with the Irish watchdog, and has removed features that allow for such data scraping. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” Meta said in a statement to media. “Unauthorized data scraping is unacceptable and against our rules.” Exposed personal data can facilitate phishing campaigns and identity fraud, and it’s essential to avoid interacting with emails where the sender is unknown or suspicious to you. To see if your email or phone number has been leaked in a breach, head over to the haveibeenpwned website to check. You’ll also want to stay on top of the most common Facebook scams of 2022 and practice strict password hygiene across all of your online accounts to protect yourself.