Ireland’s data regulator has imposed a €265 million fine on Facebook owner Meta for violating European privacy rules in a move that takes total penalties against the company to €910 million in 14 months.
The fine handed down on Monday by Helen Dixon is the fourth sanction against the business and its subsidiaries since she assumed new powers in 2018 to supervise the pan-European operations of large tech companies such as Meta, which has its European headquarters in Dublin.
She is responsible for inquiries into alleged breaches by Big Tech groups of the EU’s general data protection regulation (GDPR), which was billed as a game-changer in the drive to control how business use consumers’ personal information.
The latest fine on Meta follows an inquiry into media reports that a “collated” set of Facebook personal data had been made available on the internet. The inquiry examined Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools between May 2018 and September 2019.
“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for data protection by design and default,” Ms Dixon’s office said.
The new penalty follows a €405 million fine in September for violations of children’s privacy on Meta’s Instagram service, a €17 million fine against Meta in March for 12 data breaches and a €225 million fine in September 2021 against Meta’s WhatsApp unit for “severe” privacy breaches.
Meta has appealed both the Instagram and WhatsApp fines in the High Court in cases that are likely to set precedents for the operation of GDPR inquiries in the future. The company argued this month in the High Court that the Instagram decision breached the Charter of Fundamental Rights of the EU and was therefore invalid.
“We have co-operated fully with the Irish Data Protection Commission on this important issue,” a Meta spokesperson said in a statement. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” they added.
“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Ms Dixon has been criticised for the slow pace at which she has carried out investigations into social media, many of them delayed because of disputes with her European counterparts over penalties.
She has always rejected such complaints, accusing critics of “superficial skimming of the surface” and “exaggeration”.
The latest inquiry began in April 2021 and wrapped up last Friday after other European regulators “agreed with the decision” of the Data Protection Commission in Dublin.
“There was a comprehensive inquiry process, including co-operation with all of the other data protection supervisory authorities within the EU,” Ms Dixon’s office said.
“The decision imposed a reprimand and an order requiring [Meta Platforms Ireland Ltd] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on MPIL.”