Ireland’s Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms.
The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a “collated dataset of Facebook personal data that had been made available on the internet.”
This included the personal information associated with 533 million users of the social media platform, including their phone numbers, dates of birth, locations, email addresses, gender, marital status, account creation date, and other profile details.
Meta acknowledged that the information was “old data” that was obtained by malicious actors by taking advantage of a technique called “phone number enumeration” to scrape users’ public profiles. This entailed misusing a tool called “Contact Importer” to upload a huge list of phone numbers to uncover matches.
Facebook has since removed the ability to use phone numbers to retrieve information via scraping as of August 2019.
The Irish watchdog, besides imposing a monetary penalty, also ordered Meta’s Irish unit to make sure its processing complies with the E.U. data protection laws.
To counter such unauthorized data harvesting, the social media giant, late last year, expanded its bug bounty program to reward valid reports of scraping vulnerabilities across its platforms as well as include reports of scraping datasets that are available online.
The development also marks the fourth time Ireland has slapped fines on Meta and its subsidiaries, which also comprises Instagram and WhatsApp.
In September 2021, the WhatsApp messaging service was fined €225 million for not being transparent about how users’ personal information is gathered and used, not to mention how it’s shared with its parent, Meta.
Then earlier this March, the DPC followed it by issuing fines of €17 million for a number of security issues that led to 12 different data breach notifications between June 7 and December 4, 2018, and exposed the information of up to 30 million Facebook users.
Meta’s Instagam was similarly fined €405 million in September 2022 for violating the E.U. General Data Protection Regulation (GDPR) over mishandling children’s data online by making public the phone numbers and email addresses of those operating business accounts.