Facebook and Instagram parent Meta has been fined €265mn by Ireland’s privacy watchdog over its handling of user data, bringing the total amount the technology giant has been fined by European regulators to nearly €1bn.
The fine, announced on Monday by the Irish Data Protection Commission, ends an inquiry launched in April last year when details of more than 500mn Facebook and Instagram users were published online.
Meta has regularly been in the crosshairs of privacy regulators around the world, with Ireland’s data watchdog often taking the lead in Europe as the company’s European headquarters are based in Dublin.
The latest punishment is a further blow to Meta which, at the beginning of this month, dismissed more than 11,000 staff as it restructured its business following a decline in revenues and fierce competition from rivals such as TikTok. Meta’s net income fell to $6.69bn from $10.39bn last year.
The Irish fine relates to a tool designed to help users find friends and people they know through importing contacts from their phones on to the Facebook or Instagram app.
The personal data of 533mn users across 106 countries were published on a hacking forum in 2019, including names, locations and some email addresses. Facebook subsequently fixed the vulnerability on this feature, where data could be collected by external parties through a process called scraping.
Meta said that it was reviewing the decision carefully and “protecting the privacy and security of people’s data is fundamental to how our business works”.
It added that “unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge”.
The latest sanction brings the total amount Meta has been fined to roughly €1bn, including €225mn against its messaging service WhatsApp for failing to enforce transparency requirements under EU law, and a €405mn fine against Instagram for breaching data laws and failing to protect children’s data in particular.
The fines are part of the wider enforcement of the General Data Protection Regulation, an EU-wide law that was seen setting a global standard for online privacy when it came into force four years ago.
Some privacy activists and senior European regulators have said the laws do not go far enough and that the fines are merely the cost of doing business for large tech companies.
Companies face fines of up to 4 per cent of global turnover if they fail to comply with privacy rules in the bloc. Other nations have gone after privacy violations too. Last year, Luxembourg imposed €746mn against Amazon for breaking data privacy rules, the largest ever fine related to breaking the EU’s GDPR rules.