Ireland’s Data Protection Commission (DPC) has slapped Meta Platforms Ireland Limited (formerly Facebook Ireland) with a €265 million fine for the loss of data relating to over 533M subscribers. It continues the DPCs crackdown on social media companies. For Meta, it brings the total number of fines levied against several business units to over €1 billion in the last 15 months.
The DPC opened a case against Meta back in April 2021. It came as a result of several media reports of a collated set of Facebook user data being available on the Internet. Meta responded to the announcement of the query with a statement saying:
“……… based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019. As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”
As a result of that investigation, the DPC decided Meta had infringed Articles 25(1) and 25(2)of the GDPR. In addition to this, it has ordered it to take a number of unspecified remedial actions. There is no detail on those actions or the timeframe in which they must be completed.
What is this about?
At the heart of this case is a serious breach of user data such as phone numbers, date of birth, email address, and other personal information. While the data goes back several years, there is no reason to think that much of it is still current for those users.
The data breach was caused when malicious actors took advantage of a vulnerability in the way Facebook Contact Importer worked. They were able to upload lists of phone numbers and then scrape the data associated with those numbers. Although it has now been fixed, that will be of little consolation to those who had their data taken.
Is worse to come for Meta?
After years of being accused of being too close to Meta and other big tech, Ireland’s DPC has been showing its teeth. Fines are being issued, not as big as some would like, but they are being issued. On top of that, tech companies, such as Meta are being told to clean up their process.
Still to be resolved is the legal status of EU/US data transfers. It is an issue that has gone on for years, with several solutions failing to deliver. The current agreement from earlier this year has still to deliver on the Court of Justice of the EU rulings. That means that there is no guarantee that data transfers are legal and in line with GDPR requirements.
If, as expected, the US waters down the last agreement and fails to deliver what the EU wants, data transfers could still be halted. Political frustration at big tech and social media companies is growing across Europe. Meanwhile, none of the big players, such as Meta, has yet to completely ringfence EU users’ data. Will we see the EU actually ban and enforce a ban on data transfers? It is a distinct possibility but not one that is likely to happen immediately.
The question is, will Meta build its own solution to the problem? There are ways to do this to defeat US law, as EU cloud vendor OVH did a few years back. However, without an imminent threat to its business, Meta is unlikely to do anything.
Enterprise Times: What does this mean?
Fines for not taking care of user data are on the increase across the board. For some of the big tech companies headquartered in Ireland, the aggressive stance taken by the DPC is unwelcome. However, many privacy commentators believe such action is not only overdue, but it is also still far from enough.
Meta would argue differently. €1 billion in fines in 15 months is no small amount of money. The company is currently racking up billions in losses and can ill afford to be losing more money to fines for its data protection failures. The question is, as it goes through a series of job cuts, can it fix the problems? Only time will tell.