(Bloomberg) — Meta Platforms Inc. was slapped with a €265 million ($277 million) fine for failing to prevent the leak of the personal data of more than half a billion users of its Facebook service.
The Irish Data Protection Commission, the main privacy watchdog for Meta in the European Union, levied the fine following a probe that found the social-media company had failed to apply strict safeguards required under the bloc’s sweeping General Data Protection Regulation.
On top of the fine -- the third-biggest under GDPR — the watchdog ordered Meta’s Irish unit to make sure its processing complies with the law, according to an emailed statement on Monday.
The Irish authority is the lead watchdog for some of Silicon Valley’s biggest tech firms that have set up an EU base in the country, including Meta. It opened its probe following revelations that “a collated dataset of Facebook personal data” had been published on the internet. Personal information on 533 million Facebook users worldwide reemerged on a hacker website last year, including their phone numbers and email addresses.
The investigation looked into “Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta” between May 2018 and September 2019, the data protection commission said.
The social network has previously said the data is old and that the problem had been found and fixed in 2019.
Meta said in a statement on Monday that “protecting the privacy and security of people’s data is fundamental to how our business works” and that it had cooperated fully with regulators.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the company said. “Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Data watchdogs in Europe saw their powers increased overnight in May 2018, when the GDPR took effect and gave them the power to levy fines of as much as 4% of a company’s annual sales.
The biggest penalties under GDPR so far are a record €746 million fine for Amazon.com Inc. by its lead privacy watchdog in Luxembourg, followed by a €405 million fine for Meta’s Instagram, and a €225 million fine for Meta’s WhatsApp unit, both by the Irish authority.