Written by staff writer.
Ireland’s Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) AUD409 million after a long-running data scraping investigation. MPIL is the company behind Facebook, and this is their third DPC fine this year.
The data scraping inquiry began in April 2021 after the names, dates of birth, phone numbers, email addresses, and location details of over 533 million Facebook users went up for sale on the dark web.
Meta has previously confirmed that the data was scraped from Facebook rather than hacked. Scraping software automatically trawls websites like Facebook for snippets of data to build profiles of people and entities.
“Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue,” says a statement from Meta following this week’s fine.
“Unauthorised data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
MPIL fell foul of the EU’s General Data Protection Regulation (GDPR) which lays down rules for entities doing business in Europe about the protection and security of personal data. MPIL is domiciled in Ireland, part of the EU, mainly for taxation reasons. Those GDPR rules require that data is protected by design and default, something the DPC found Meta did not do.
“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU,” says a DPC statement. “Those supervisory authorities agreed with the decision of the DPC.”
The inquiry specifically focused on Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools concerning processing work done by MPIL between May 2018 and September 2019.
MPIL said malicious actors had used a tool called Contact Importer to upload large volumes of phone numbers and attempt to match them against publicly available data on Facebook users’ pages. The social media platform had allowed this tool, saying it allowed people to search for friends on Facebook using phone numbers. However, as adverse publicity surrounding the scraping tool grew, Facebook removed Contact Importer from the platform in late 2019.
Last week’s fine was the second from the DPC in as many months for Meta. In October, the DPC fined the social media company AUD625.4 million after the DPC found their Instagram platform not to have adequately protected children’s data. Earlier this year, the DPC also fined Meta AUD26.3 million over separate GDPR violations.
In September, South Korea’s Personal Information Protection Commission fined Meta AUD32.5 million for privacy violations and France’s Commission Nationale de l’informatique et des Libertés fined Meta AUD99.8 million in January for failing to follow the EU’s privacy rules. All up, privacy agencies have fined Meta over AUD1.19 billion this year for privacy breaches.
DPC describes last week’s financial penalties as “administrative fines.” The privacy watchdog adds that it also issued a reprimand and an order requiring MPIL to comply with GDPR rules and undertake certain remedial actions within a specified timeframe.
