Meta vs DPC over data-scraping breach
Meta has been granted leave by the Irish High Court to appeal a November 2022 decision by the Irish Data Protection Commission ("DPC") to impose fines totalling €265 million against Meta in connection with a major data-scraping breach involving personal data of over 500 million Facebook users.
The fine was imposed following an investigation by the DPC into claims that a “collated” set of Facebook personal data had been uploaded onto an online forum. The DPC at the time confirmed that the material issues in its inquiry concerned questions of compliance with General Data Protection Regulation (GDPR) obligations for data protection by design and default, and Meta's implementation of technical and organisational measures in compliance with Article 25 GDPR.
In making its application for leave, Meta argued that the DPC erred in finding it was in violation of Article 25(1) of the GDPR by allegedly failing to implement appropriate measures to prevent scraping of Facebook data.
Meta claims that the DPC's wide interpretation of this Article amounted to an error of law, contesting that Article 25(1) only applies to controllers and does not extend to abusive conduct by third parties, and Meta is effectively being held liable for the acts of third-party data scrapers.
In addition, while the DPC concluded that the scraping involved "unauthorised access" to user phone numbers, Meta claims that the phone numbers used by third-party scrapers were from publicly viewable profile data that was consistent with individual users' visibility settings. Despite this, since the fine was imposed by the DPC in November 2022, Meta has confirmed that it has made changes to its systems, including the ability to scrape its contact importer features using phone numbers.
The case has been adjourned to mid-April 2023, and we are currently awaiting developments. We will continue to provide updates as the case progresses. It is worthwhile noting that, to date, the DPC has imposed total fines of more than €1 billion on Meta. With more Meta investigations underway across Europe, we are seeing a continued focus by EU data protection authorities on holding Big Tech companies to account; with a potential shift in approach from the DPC in taking more aggressive enforcement action to align with its other EU counterparts.
This legal development follows an interesting connected legal challenge brought to the Irish Circuit Court in January 2023 against Meta and the DPC by Digital Rights Ireland ("DRI"), a digital rights group in Ireland which was unhappy with the findings of the DPC in relation to Meta's data scraping. The DRI's main argument is that the DPC has denied justice to victims by refusing to find that there was a personal data breach under Articles 4(12) and 32 of the GDPR, meaning that there was no requirement for Meta to notify the victims of the data breach. It remains to be seen what the Irish Circuit Court will decide in this legal action.