Facebook owner fined for huge EU data breach

Ireland's data protection watchdog has fined the parent company of internet giants Facebook, Instagram, and WhatsApp 265 million euros ($275 million) for failing to stop hackers from gleaning the details of more than 500 million Facebook users.

The fine was the latest in a series of legal setbacks for Meta, including almost 1 billion euros in European Union fines since September 2021.

In the latest incident, Ireland's Data Protection Commission, or DPC, found the United States company had broken EU data protection rules by failing to stop the "scraping" of personal data from Facebook accounts during 2018 and 2019, which was then published on a hacking website.

The case was heard in Ireland, which is a member of the EU, because it is home to Meta's European headquarters.

Meta said in a statement it had made changes since the breach and that "protecting the privacy and security of people's data is fundamental to how our business works".

"That's why we have cooperated fully with the Irish Data Protection Commission on this important issue," the company said while insisting it is no longer possible to "scrape" information from Facebook accounts through the use of account holders' phone numbers.

Helen Dixon, Ireland's data protection commissioner, said Facebook had fallen victim to "data scraping" before the incidents in 2018 and 2019, but failed to protect users' information.

"Because this dataset was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction," she told the BBC.

The EU also officially reprimanded Meta over the incident, and ordered the company to ensure future compliance with its rules.

This week's fine follows a 405-million-euro penalty issued by the DPC in September, after it found teenagers had been able to set up Instagram accounts that publicly displayed their phone numbers and email addresses. In addition, in March Meta was fined 17 million euros for other breaches of the EU's General Data Protection Regulation, or GDPR.

Despite the fines, a legal expert told The Guardian newspaper problems may persist.

David Hackett, head of data protection in the Ireland office of law firm Addleshaw Goddard, said "by any measure, these are significant fines".

But he said such fines were initially aimed at serving "as a deterrent to other companies" that "might consider breaching the law".

He said companies now seem to factor them in to their operations.

"We are likely to see increased debate about whether … some companies simply see (such fines) as an added cost of doing business," he said.

Ireland is at the center of litigation between the EU and technology companies because, in addition to Meta, Apple, Google, and TikTok all have European headquarters there.