Meta fined $275 million over data scraping practices that violated GDPR

Ireland’s Data Protection Commission (DPC) has fined Meta €265 million (about $275 million) after a year-long inquiry into the company's data protection practices.

The fines stem from Facebook’s practice of making personal data accessible by default through search functions and concern Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer and Messenger Search and its variant Messenger Contact Creator features.

The DPC said on Monday the features violated General Data Protection Regulation (GDPR) rules around Data Protection by Design and Default.

The features allowed anyone to scrape the social media giant — a process where bots are able to gather data online automatically. Typically, the bots are used to scan social media sites like Facebook and copy whatever information is available. 

The investigation began in April 2021 after media reports emerged of a “collated dataset of Facebook personal data that had been made available on the internet” following an instance of scraping. According to the ruling, the issues occurred between May 2018 and September 2019.

The DPC noted that it worked with “all of the other data protection supervisory authorities within the EU” – which were in agreement with its decision. 

In addition to the fine, the DPC is ordering a range of corrective measures that need to be taken, including remedying the practices within three months of the ruling’s release. 

A DPC spokesperson told The Record that the order requires the company to “implement appropriate technical and organizational measures” that ensure “by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

In a statement to The Record, a Meta spokesperson said the company has “cooperated fully with the Irish Data Protection Commission on this important issue.” 

“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the spokesperson said. 

“Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.” 

In September, Meta said it was appealing another fine, worth $400 million, for violations related to Instagram allowing children as young as 13 to operate business accounts. Last year, the DPC also fined Meta $267 million for GDPR violations related to data processing done by WhatsApp.