Ireland’s Data Protection Commission (or DPC, for short), has slapped Facebook and Instagram parent company Meta Platforms
with a hefty fine over yet another failure to comply with Europe’s stringent data protection laws.
This time, the tech giant will pay 265 million euros—roughly $274 million—for a 2021 breach that inadvertently exposed the data of roughly 533 million people using the company’s products. The DPC noted in a statement that it started looking into the leak shortly after some media outlets reported on the leak, which saw the names and contact information from those millions of users crop up on a popular hacking forum. At the time, a Facebook spokesperson said that the bad actor had sourced this information from a vulnerability that the company patched in 2019.
By not securing that data properly enough, Meta had fallen short of Europe’s General Data Protection Regulation (GDPR), which had gone into effect roughly one year before Meta had made its own fixes internally. In particular, according to the DPC, the company infringed on the rules mandating companies build their products with “data protection by design,” by default.
Aside from the fine, a spokesperson for the DPC told Techcrunch that Meta will be given three months to issue a number of “remedial actions” to bring its products up to code with that GDPR statute. When contacted by Marketwatch, a Meta spokesperson said that the company was “carefully” reviewing the Irish authority’s decision.
“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue,” the spokesperson added.
This fine is not the first action Meta has faced from the DPC this year. In March, the DPC fined the company roughly $18.6 million over a string of data breaches that exposed the personal details of an estimated 30 million Facebook users. A few months later, the authority fined Meta roughly $402 million after an investigation into Instagram found that the platform was also falling short of handling younger users’ data in compliance with GDPR.
DPC has raised other ongoing queries regarding the company’s data collection habits, making it possible that this latest fine won’t be the last.