Date of final decision: 25 November 2022
Cross-border, subject to the cooperation and consistency mechanism outlined in Article 60 GDPR.
LSA: Irish Supervisory Authority (SA).
and CSAs: all other European SAs.
Controller: Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (‘Meta Platforms’).
Legal Reference: GDPR obligation for Data Protection by Design and Default (Article 25 GDPR).
Decision: infringement of Articles 25(1) and 25(2) GDPR, order to bring processing into compliance, and administrative fines totalling €265 million.
Key words: Data Protection by Design and Default, cross-border, Article 25.
Summary of the Decision
Origin of the case
The Irish Supervisory Authority, SA commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet.
The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept).
The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on Meta Platforms.
For further information: Data Protection Commission announces decision in Facebook “Data Scraping” inquiry