Meta is asking the High Court to quash a decision of Ireland’s data-protection watchdog to fine it €265 million for an alleged breach of EU privacy rules regarding the personal information of about more than 500 million Facebook users.
The Irish-based Data Protection Commission (DPC) imposed the fine last November 25th on Meta Platforms Ireland Limited – owner of Facebook, Instagram and WhatsApp – after inquiring into media reports that a “collated” set of Facebook personal data had been uploaded on to an online forum.
Total penalties imposed on the company by the DPC – the primary supervisory body for Meta in Europe – have surpassed €1 billion.
In January the High Court gave permission for Meta to seek judicial review of a €405 million fine, the largest ever imposed by the DPC, over Instagram’s handling and processing of teenagers’ personal data.
At the High Court on Monday, Mr Justice Charles Meenan granted leave, while only Meta was notified of the application, for the firm to pursue its claim over the €265 million reprimand.
Meta’s senior counsel, Andrew Fitzpatrick, said the DPC’s November 2022 decision had made Meta liable for the acts of third-party data “scrapers”. His client has also commenced statutory appeal proceedings, but it is entitled to have the matter reviewed by the High Court, he said.
The DPC’s inquiry, which commenced in April 2021, examined Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools between May 2018 and September 2019.
The DPC said the material issues in the inquiry concerned questions of compliance with General Data Protection Regulation (GDPR) obligations for data protection by design and default. The DPC said other data-protection supervisory authorities in the European Union agreed with its decision.
In its court proceedings, Meta says the DPC erred in finding it violated article 25(1) of the GDPR by allegedly failing to implement appropriate measures to prevent scraping of Facebook data. Article 25(1) relates to the data controller itself and “does not relate to abusive conduct by third parties”, Meta claims, adding that the commissioner’s wide interpretation of this article amounts to an error of law.
The commissioner incorrectly concluded that the scraping at issue involved “unauthorised access” to user phone numbers, says Meta. The only profile data in the scraped data set was used by scrapers from publicly viewable profile data that was consistent with individual users’ visibility settings, it claims.
It says the scrapers are believed to have randomly input digit combinations to automatically search for users whose privacy settings allowed their profiles to be found by anyone with their phone number.
Scraping is inherently difficult for an online platform to prevent and is not equivalent to hacking, which involves unauthorised access to a computer system, Meta adds.
The DPC’s findings that Meta could have implemented additional measures to prevent the scraping is “generally unsupported by any evidence and rest on flawed reasoning and errors of fact”, it is claimed.
Meta alleges the DPC’s decision is invalid as it was reached in breach of various articles of the Charter of Fundamental Rights of the EU.
It wants the court to declare that several sections of the Data Protection Act of 2018 are invalid when considering provisions of the Constitution.
It claims an administrative fine of the magnitude of €265 million constitutes the imposition of a “sanction so severe as to be criminal in nature”. Even if Meta is wrong about this, the seriousness of the findings of infringement made, and the consequences of those findings including the fine, means the DPC was not exercising limited functions and powers of a judicial nature within the meaning of article 37.1 of the Constitution, it says.
The DPC further erred in concluding it is not obliged to demonstrate the level of damages allegedly suffered by data subjects, Meta alleges.
The case was adjourned to mid-April.