Ireland’s privacy authority Monday announced it was imposing a €265 million fine and other corrective measures on Meta for failing to properly protect its data.
The fine is for a data breach discovered in 2021. Personal data of EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials were included in a leak of the 533 million records including phone numbers, Facebook IDs, full names and birthdates that surfaced on a public forum and circulating widely on the web.
The Irish Data Protection Commission — which oversees Meta because its European headquarters is there — argued the U.S. tech giant failed to comply with the General Data Protection’s obligation to ensure privacy “by design and default,” meaning it had engineered its products in a way that personal data could leak.
In addition to the fine, the authority imposed a reprimand and an order “to bring [Meta’s] processing into compliance by taking a range of specified remedial actions within a particular timeframe,” the DPC said in a statement.
A spokesperson for Meta said the company had “made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”
Facebook can still appeal the decision before Irish courts. It said it was “reviewing this decision carefully.”
The Irish Data Protection Commission is expected to announce three other decisions against Meta companies soon too, it told POLITICO this month.