Irish DPC: Facebook Data Scraping not in line with Art. 25 of the GDPR

In 2021, media reports raised serious questions about how Facebook was dealing with the collected personal data of around 530 million Facebook users. Between 2018 and 2019, these datasets, which also included the email addresses and mobile phone numbers of Facebook users, were exposed on the internet. Following the media reports of these serious data protection compliance failures, an inquiry was ordered by the Irish Data Protection Commission (DPC) to examine and assess the claims.

Scope of Inquiry and Decision

The inquiry was focused on assessing the data processing by Meta Platforms Ireland Limited (MPIL) during the period from 2018 to 2019.  The inquiry involved assessing the following categories:

• Facebook Search;
• Facebook Messenger Contact Importer and;
• Instagram Contact Importer tools

After an extensive inquiry by the DPC, it was found that Facebook was indeed in breach of the Data Scraping requirements under the GDPR. The personal data collected was not handled responsibly lacking important technical and organizational measures (TOMs) to secure users’ personal data leading to the exposure of personal information online. The DPC held that Facebook was in non-compliance with Data Protection by Design and Default as per Art 25(1) and 25(2) of the GDPR.

Fines and Corrective Measures

On 25^th November 2022, the DPC not only imposed a huge fine of €265 million on MPIL, but also ordered some important corrective measures with a timeline of three months to fulfill them. The measures included  that MPIL is required to bring the relevant processing in compliance with Article 25(2) of the GDPR:

“Specifically, to the extent that MPIL is engaged in ongoing processing of personal data which includes a default searchability setting of ‘Everyone’, this order requires (…) MPIL to implement appropriate technical and organisational measures regarding the Relevant Features in respect of any ongoing processing of personal data, for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, and that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. This order is made to ensure compliance with Article 25(2) GDPR.”

The “Relevant Features” were previously defined by the DPC as Facebook Contact Importer, Messenger Contact Importer, Instagram Contact Importer, Messenger Search and its variant Messenger Contact Creator features.

Conclusion

The decision highlights very important aspects of technical and organizational measures to be taken when dealing with people’s personal information. While there is always a risk of people’s personal data being disclosed online or on the dark web, that cannot be used as an excuse for inadequate technical and organizational measures. Data Protection by Design and Default can help companies strengthen their TOMs, which can eventually lead to higher standards of data security and better protection of the rights and freedoms of data subjects.