top of page

Meta received a $274M GDPR penalties for a data scraping violation.

After a leak exposed the personal information of more than half a billion people, Meta Platforms was penalized 265 million euros ($274 million) for failing to implement sufficient safeguards to protect user data.

The corporation was also punished by the Irish Data Protection Commission (DPC), the European regulator for Meta, and was given a three-month deadline to adhere to a number of corrective organizational and technical steps.

The data regulator said Meta violated Article 25 of the General Data Protection Regulation (GDPR) by scraping user information from public profiles between May 25, 2018, and September 2019, according to a judgement adopted on Nov. 25 and released on Monday.

The Irish DPC found that Meta's Facebook and Instagram message apps did not protect data "by design and default." When informed of the Irish DPC's judgment last month, all other EU data regulators concurred.

Following media allegations that the personal information of more than 530 million Facebook users was discovered to be accessible on a website for hackers, the data authority started its investigation in April 2021. Full names, addresses, dates of birth, phone numbers, and email addresses were among the information.

Facebook said at the time that the information had been recycled after being stolen and made public in a purported data breach that occurred in early 2018—before the GDPR went into effect. Meta initially contended that it had no new case to answer because the incident happened before the GDPR.

The investigation sparked debate among legal professionals about whether businesses could or ought to face multiple penalties for the same data leak, as some felt the GDPR did not explicitly state what would happen in the event that a breach was not adequately fixed by the organization and later resulted in more people being affected.

"Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue,"  according to a Meta spokeperson. "We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully."

For failing to secure the privacy of its teen users, the Irish DPC fined Instagram a record €405 million ($401 million) in September.

After looking into a dozen breach warnings, the commission fined Meta €17 million (then: US $18.6 million) in March. The Irish DPC discovered the tech company improperly processed personal data and lacked the necessary organizational and technical safeguards to protect it.

A GDPR penalties of €225 million (then $267 million) was imposed on WhatsApp, a subsidiary of Meta, last year for data processing violations.



bottom of page