Meta, the parent of Facebook, has been fined another big sum for violating European data protection law.

The €265 million (~$275 million) fine was announced today by the Irish Data Protection Commission (DPC), the tech giant's lead regulator for the European Union's General Data Protection Regulation (GDPR).

The DPC confirmed that the decision, which was adopted on Friday, records findings of infringement of Articles 25(1) and 25(2) GDPR — which are focused on data protection by design and default.

The DPC said it is further imposing a range of corrective measures, writing: "The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe."

The penalty relates to an inquiry which was opened by the DPC on April 14, 2021, following media reports of more than 530 million Facebook users' personal data — including email addresses and mobile phone numbers — being exposed online.

At the time, Facebook tried to downplay the breach — claiming the data floating around online was "old data" and that they had fixed the issue, which led to the person's data being exposed.

In addition to that, the company expressed the notion that the data was "scraped from Facebook profiles by malicious actors" by using a contact importer feature it made available up to September 2019, just when it modified the feature to "harden against abuse by no longer allowing the upload of many phone numbers at once and matching against Facebook profiles".

The DPC confirmed its investigation considered a range of contact search and importer tools the company provides on its services between the date the GDPR came into application and the date of updates to the contact importer tool Facebook made in fall 2019.

The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited ('MPIL') during the period between 25 May 2018 and September 2019," the DPC wrote.

"The material issues in this inquiry related to questions of compliance with the GDPR obligation for Data Protection by Design and Default," it added, noting that it had considered the application of "technical and organisational" measures relevant to Article 25 GDPR (which deals with data protection by design and default).

"There was a thorough investigation process, including collaboration with all of the other data protection supervisory authorities within the EU.". Those supervisory authorities agreed with the decision of the DPC," the regulator also said — putting a spotlight on the lack of disagreement over this particular decision, which is often not the case with cross-border GDPR enforcements (while disputes between EU regulators can often substantially increase the time it takes to enforce the GDPR — hence this final decision has landed relatively quickly).

According to DPC Deputy Commissioner Graham Doyle, corrective action it's taken under the decision it's issued with Meta is "an order pursuant to Article 58(2)(d) GDPR… to bring its processing into compliance with the GDPR in the manner specified in this Decision" - with three months from date of final decision allowed in which to comply.

"Specifically, to the extent that MPIL is carrying out processing operations concerning personal data which involve a default setting of 'Everyone' for searchability, this order requires… MPIL to take appropriate technical and organisational measures with respect to the Relevant Features in relation to any processing operations concerning personal data carried out at present, to ensure that, by default and on an ongoing basis, only personal data which are necessary for each specific purpose of the processing are processed and that, by default personal data are not made accessible without a user action of indefinite numbers of natural persons," he said, underlining: "This order is issued for the purpose of ensuring compliance with Article 25(2) GDPR."

"Relevant Features" in that context are Facebook Contact Importer; Messenger Contact Importer; Instagram Contact Importer; and Messenger Search; and its variant Messenger Contact Creator features.

Meta had been contacted for a comment. A spokesman declined to state whether or not it intends to appeal — but the technology company said it is "reviewing" the verdict "carefully".

This is Meta's statement :

Our business's fundamental aspect is to protect people's data in terms of their privacy and security. Hence, we have fully cooperated with the Irish Data Protection Commission on this crucial issue. We had altered our systems at that time and deleted the option to scrape our features with a phone number in that particular manner. Unauthorised data scraping is unacceptable and violates our policy. We will continue to work along with our peers on this industry challenge. We are studying this decision carefully.

The company added that it has put in place a range of measures to combat data scraping since this breach — including applying rate limits and deploying technical tools to combat suspicious automated activity, as well as providing users with controls to limit the public visibility of their information.

The GDPR penalty is not the first for Meta — and it may not be its last.

Just over a year ago, Meta-owned WhatsApp was fined €225 million (~$267 million) for transparency breaches. Earlier this fall Meta-owned Instagram got hit with a €405 million penalty for children's privacy violations. While, back in March, the company was also fined around $18.6 million over a string of historical Facebook data breaches.

The DPC also has several other ongoing inquiries into various other aspects of Meta's business —not least of all a major investigation of the legal basis Meta claims to be able to process people's data that dates back around 4.5 years.