On 28 November, the Irish Data Protection Commissioner issued a €265 million fine on Meta-owned Facebook and Instagram over their data scraping practices and ordered remedial actions.

This inquiry by the Irish Data Protection Commissioner arose from the massive data leaks of Facebook personal data that was dumped online in a hacker forum in April 2021. The data included sensitive information such as full names, locations, birthdates, phone numbers and email addresses.

The data leak concerned 553 million people across 106 countries. In the EU alone, approximately 86 million people were affected. At the time, Facebook said that the leaked data was old since the mass data scraping occurred because of a vulnerability that the company had patched in August 2019.

A few days after the leak, the Irish Data Protection Authority announced that it was investigating the matter and would examine if Facebook’s data harvesting practices complied with the GDPR principles of privacy by design and by default.

The investigation concluded that between 25 May 2018 and September 2019, the social networks violated European privacy rules and imposed a set of specific remedial actions and issued a fine of €265 million.

A Meta spokesperson has been quoted as saying “unauthorized data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenges. We are reviewing this decision carefully.” Meta can appeal this decision in court.

This is the second largest fine against Meta, following a €405 million fine against Instagram for breaching the privacy of children.

Does your company make use of data scraping practices? Contact us, the Experts in Data Privacy at info@dpoconsultancy.nl, to ensure that this is done in a manner that ensures privacy by design and by default are adhered to at all times.