Since last year, Meta has been ordered to pay nearly $1 billion in total by Ireland’s privacy regulator
Ireland’s Data Protection Commission (DPC) fined Meta $275 million on Monday over a data leak that compromised the personal information of more than 500 million Facebook users. Tasked with enforcing EU privacy law, the Irish watchdog has hit Meta with more than $945 million in fines since last October.
The DPC announced the fine in a statement, writing that a number of Facebook and Instagram search tools offered up to third-party developers by Meta had been used to obtain the personal information of users – including email addresses, locations, and phone numbers – between May 2018 and September 2019.
Some 553 million users in 106 countries were affected, with this data ending up on a “hacking forum,” according to an article by Insider last April. The DPC’s investigation began shortly after this report was published.
The DPC’s decision comes two months after it fined Meta roughly $420 million for mishandling the data of underage Instagram users, and eight months after it hit the tech giant with a $17 million fine for past data breaches. The company was also fined roughly $233 million by the DPC last October for transparent violations related to its WhatsApp messaging service.
In total, the DPC has fined Meta around $945 million since last October, although this is less than 1% of the firm’s 2021 revenue. The watchdog is currently conducting 13 additional inquiries into Meta’s activities.
Most major tech firms, including Google, Apple, Facebook, and Twitter, have their EU headquarters in Ireland, owing largely to the country’s low corporate tax rate. Accordingly, it has fallen on the DPC to ensure that these companies comply with the EU’s General Data Protection Regulation (GDPR), a sweeping privacy law enacted in 2018.
The DPC has been accused of being slow to act. A report by the Irish Council for Civil Liberties last year found that, at the time of publication, the DPC had not yet taken action in 98% of GDPR cases referred to Ireland. “EU GDPR enforcement against Big Tech is paralyzed by Ireland’s failure to deliver draft decisions on major cross-border cases,” the account read.