265 million euro fine for Meta

29. November 2022

The Irish Data Protection Commission (DPC) imposed an administrative fine of 265 million euros on Facebook-mother Meta as a result of the unlawful publication of personal data.

Investigation proceedings

Following the availability online of personal data of up to 533 million Facebook and Instagram users from over 100 countries in April 2021, the DPC had launched investigations. As part of the investigation process, it cooperated with the other European data protection authorities and examined the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. With the help of these tools, contacts stored in the smartphone can be imported into the Instagram or Facebook app in order to find friends or acquaintances.

Lack of technical and organisational measures to protect data

As part of its investigation, the DPC dealt with the so-called technical and organisational measures according to Article 25 GDPR. According to data protection law, data controllers must use such measures to ensure that the rights of data subjects are extensively protected. These include, for example, pseudonymisation and encryption of personal data, but also physical protection measures or the existence of reliable backups.

The DPC did not consider Meta’s technical and organisational measures to be sufficient. Therefore, in addition to the aforementioned fine of 265 million euros, it issued a reprimand as well as an order to bring the processing operations into compliance with data protection law within a certain period of time and to implement a number of specific remedial measures to this end.

Not the first fine for Meta

Meta is by now familiar with fines from European data protection authorities. In total, the company has already been fined almost one billion euros, most recently in September in the amount of 405 million euros for serious data protection violations involving underage Instagram users. The reason for the considerable amount of the individual sanctions is Article 83 GDPR, according to which fines can amount to up to four percent of a company’s total worldwide annual turnover. Meta has appealed against each of the previous decisions, so it can also be assumed in this case that Meta will not accept the fine without a judicial review, either.