Irish DPC fines Meta/Facebook €265 million after data privacy incident

[German]The Irish Data Protection Commission (DPC) has imposed a 265 million fine on Meta, Facebook's parent company. This follows a data protection incident in which millions of Facebook users' data was pulled from the company's systems via tools until September 2019. The Irish Data Protection Authority then launched a formal investigation in April 2021.


I had reported in April 2021 on a major data privacy incident at Facebook in the German blog post Hacker publiziert 533 Millionen Telefonnummern von Facebook-Nutzern. A hacker published the phone numbers and account information of an estimated 533 million Facebook users – about one-fifth of the social network's total user pool – on a publicly accessible cybercrime forum.

The published data was entered by users on their Facebook profiles. Depending on the Facebook users' willingness to provide information, the information that has now become public includes Facebook ID numbers, profile names, email addresses, location information, gender details, job data and so on.

The Irish Data Protection Commission (DPC) had then opened an investigation against Facebook/Meta on April 14, 2021. The proceedings stemmed from media reports about the discovery of this data leak involving personal data from Facebook, which had been made accessible on the Internet.

Facebook published a statement at that time, that the data in question had been siphoned off by "malicious actors" via a vulnerability in its tools before September 2019. The scope of the DPC investigation involved an audit and assessment of the Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools in relation to processing conducted by Meta Platforms Ireland Limited ("MPIL") between May 25, 2018 and September 2019.

According to the DPC, the main points in this investigation concerned issues of compliance with the GDPR obligation on data protection by design and standard. The DPC investigated the implementation of technical and organizational measures under Article 25 of the GDPR (which addresses this concept). Now, in a statment dated November 28, 2022, the DPA announces the conclusion of this investigation against Meta Platforms Ireland Limited (MPIL).


The DPC has imposed a fine of €265 million and a set of remedial action specifications against Meta and its subsidiary Facebook. This decision was preceded not only by the extensive investigation process mentioned above. But there was also cooperation with all other data protection supervisory authorities in the EU. These supervisory authorities agreed with the DPC's decision to impose the fine.

The BBC quotes Helen Dixon, Data Protection Commissioner, as saying, "Because this dataset was so large and there had been previous instances of scraping on the platform where the problems could have been identified in time, we ended up imposing a significant penalty. The risks to individuals in terms of scamming, spamming, smishing, phishing, and losing control of their personal data are significant, which is why we imposed a total fine of €265 million."

Just to put things in perspective, the Irish Data Protection Commission (DPC) had fined Meta subsidiary Instagram €405 million on September 15, 2022 for processing children's data (see Irish data protection authority imposes €405 million GDPR fine on Instagram).

The DPC writes that the decision, adopted on Friday, November 25, 2022, finds a breach of Article 25(1) and (2) of the GDPR by Facebook. The decision issued a reprimand and an order requiring Meta Ireland (MPIL) to bring its processing into compliance. To do so, the company must implement a set of specified remedies within a certain timeframe. The decision also fined MPIL a total of EUR 265 million.

A spokesperson for the company said that protecting the privacy and security of Facebook's customers' data is fundamental to the company. That's why it had cooperated with the Irish Data Protection Commission, he said. In addition, changes had been made to the company's own systems during the period in question. Among other things, the option to query Facebook data using telephone numbers has been removed.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *