Today Ireland's Data Protection Commission (DPC) announced that it has imposed a fine of €265 million on Meta's Irish subsidiary. The reason is a 2021 data breach on Facebook that exposed the phone numbers, locations, and birthdates of 533 million people who were Facebook users from 2018 to 2019.
The DPC started its investigation into the matter on April 14, 2021, following media reports about the discovery of this dataset, which was being made available on the internet. The inquiry concerned questions of compliance with the EU's GDPR obligation for "Data Protection by Design and Default", which Meta was found guilty of not adhering to.
The DPC's decision was adopted last Friday and made public today. It records infringement of two articles of the GDPR regulations by Meta. Aside from the aforementioned fine, an order has also been issued requiring Meta to bring its data processing "into compliance by taking a range of specified remedial actions within a particular timeframe", the DPC notes.
The comprehensive inquiry process involved cooperation with all of the other data protection supervisory authorities within the EU, which all agreed with the decision of the DPC.