Out-Law News 1 min. read

Meta GDPR fine levied over data protection by design and default

Ireland’s data protection authority has imposed fines totalling €265 million against Meta after determining infringements of EU rules on data protection by design and default.

The enforcement action taken by the Data Protection Commission (DPC) also includes an order for Meta to bring its personal data processing into compliance with the requirements. It comes after the DPC investigated the ‘scraping’ and subsequent disclosure of “a collated dataset of Facebook personal data” on the internet that was reported in 2019.

Meta said: "We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”

The fines imposed by the DPC were levied under Articles 25(1) and 25(2) of the EU General Data Protection Regulation (GDPR). The regulator said it had “examined the implementation of technical and organisational measures” by Meta in the context of those Articles and identified infringements. It said other EU data protection authorities agreed with its decision.

Article 25(1) of the GDPR requires controllers to implement appropriate technical and organisational measures – both at the time of the determination of the means for processing and at the time of the processing itself – to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing to meet the requirements of the GDPR and protect the rights of data subjects.

The specific measures controllers must deploy to comply with Article 25(1) depends on what technology is available, the cost of implementing the measures, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Article 25(2) requires the controller to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

The Article 25(2) obligations apply to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. The provision specifically requires that the technical and organisational measures deployed ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

The DPC told Out-Law that it expects the decision adopted in this case to be published next week.

Meta has separately lodged an appeal before the Irish courts against an earlier fine imposed by the DPC under the GDPR. The DPC fined Meta €405m in September over children’s data protection issues it said it had identified with Instagram.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.