The Irish DPC has issued a fine of €265 million to Meta Platforms Ireland Limited (MPIL) – the data controller of the Facebook network – after a 19-month enquiry. The DPC also issued a reprimand and has imposed a range of specified remedial actions to be completed within three months.
While the Irish DPC is the lead regulator, this decision included cooperation with the other EU data protection supervisory authorities. This has been a surprisingly swift process, largely due to the EU countries being in agreement over the issue.
The enquiry began in April 2021. Over 530 million Facebook users’ personal data — including email addresses and mobile phone numbers — were reported to have been exposed online. It appears that the data had been scraped maliciously from Facebook profiles, using a Contact Importer tool provided by Facebook. In September 2019, Facebook adjusted the tool to prevent further malicious activity. The DPC focussed its enquiry on tools running from 25 May 2018 (when GDPR came into force) and September 2019” (when Facebook made its security amendments).
The core issue that led to the fine was Meta’s failure to meet the obligations around Data Protection by Design and Default (Article 25 of the GDPR) by implementing appropriate technical and organisational measures.
Data Protection by Design and Default
Data Protection by Design and Default is not new. But while in the past it’s been “advisable”, it is now, under GDPR, a legal requirement. Which means that you must, by law, have appropriate technical and organisational measures in place to ensure you comply effectively with data protection principles; and that you protect and safeguard individuals’ rights.
In practice, this means that you must think about data protection and privacy compliance – up-front. And build it into all the data processing you undertake. It has to be embedded throughout your business and all its practices. And it’s important that it starts at the very beginning of the process, from concept and design stage, and runs right through the lifecycle of any personal data processing you do.
This is the requirement that the DPC determined that Meta did not meet.
In response to the DPC actions, Meta says it is “reviewing this decision carefully”, and stated: “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers… Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge … Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. “
Total Meta GDPR fines?
This latest fine brings the total amount of fines imposed since Autumn 2021 by the DPC on Meta to €912m. Previous fines include €405m just a couple of months ago (teenagers’ Instagram accounts displayed their phone numbers and email addresses on a “public-by-default” setting); In March 2022, a GDPR fine of €17m was levied; and in September 2021 a €225m fine was issued over “severe” and “serious” infringements by WhatsApp .
Avoid GDPR Fines
Privacy by Design and Default is at the heart of the GDPR. A Data Protection Impact Assessment (DPIA) is just one of the vital tools businesses need to help them meet their compliance and security obligations. It is an essential means of demonstrating that you put compliance and the security of your data subjects at the heart of everything you do.
Consider the individuals whose data you are processing. What will be the impact on them? Will the processing be fair? Is it even legal? Would they expect you to process it in this way? Have you made them aware? Have you told them their rights? Will their data be safe? Have you done your due diligence on your suppliers? Do you have the right contracts? What are the risks? How can the risks be mitigated? Do you have appropriate organisational processes in place? What technical safeguards do I have / need?
Asking yourselves questions like this will help you be sure you are taking appropriate steps towards meeting your obligations when processing personal data.
If you have questions or concerns about the practicalities around Data Protection by Design and Default, or how best to conduct a DPIA, or if you would like to chat about your own measures in this area, please call 01787 277742 or email firstname.lastname@example.org. You can find information about some of our services here.
Victoria Tuffill 29th November 2022