The Irish privacy authority announced on Monday that it would fine Meta €265 million and take other corrective action for failing to properly protect its data.
The fine is for a data breach discovered in 2021. Personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials are included in a leak of the 533 million records, including phone numbers, Facebook IDs, full names and dates of birth, that surfaced on a public forum and circulate widely on the web.
The Irish Data Protection Commission — which oversees Meta because its European headquarters is there — argued that the US tech giant failed to meet the General Data Protection’s obligation to ensure privacy “by design and default”, meaning its designed products in such a way that personal data could leak.
In addition to the fine, the authority imposed a reprimand and an order subject to periodic penalty payments [Meta’s] processing to compliance by taking a series of specified corrective actions within a specified time frame,” the DPC said in a statement.
A spokesperson for Meta said the company had “made changes to our systems during the relevant time, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue to work with our colleagues on this industry challenge.”
Facebook can still appeal the decision in Irish courts. It said it will “carefully review this decision”.
Ireland’s data protection commission is also expected to announce three other decisions against meta-companies soon, it told POLITICO this month.