Member Article

Meta continues to make headlines for the wrong reasons in the data protection field as this week the Irish data regulator, the DPC fined the tech company €265 million ($275 million) for infringements of Articles 25(1) and 25(2) GDPR.

It is nothing new that Meta pushes data protection boundaries. The €265 million fine is the third largest GDPR penalty served to date and Meta also holds the number two spot following the €405 million fine imposed for Instagram, another of its platforms, mishandling teen data. This week’s fine stemmed from an investigation into 530 million Facebook users’ personal data being exposed online after a hacker exploited a vulnerability in a tool which allowed users to import contacts from their phones.

What is less common is the DPC use of Article 25 as the basis for the fine, and the headline for its press release. The DPC found that the design of this feature did not incorporate data protection principles embedded in Article 25(1) of GDPR requiring controllers to “implement appropriate technical and organisational measures… designed to implement data-protection principles” and Article 25(2) which further requires controllers to ensure that the data protection principles minimising use, accessibility and the period of storage are in place by default. By contrast, the Instagram fine refers to Article 25 for the first time in paragraph 156 of the decision having already established a number of other offences.

The use of Article 25 serves as a reminder that once a data breach has occurred there is usually no smoke without fire: the data controller is usually culpable to some degree. Even if the data scraping is conducted by ‘malicious actors’ on data that has been lawfully collected, controllers need to protect the data to a higher level ‘by design’. For organisations looking to be compliant with EU or UK GDPR this highlights that compliance documents papering over products and tools which do not incorporate technical and organisational measures will not suffice. Protections for data subjects must be built in. One way to achieve this is to conduct Data Protection Impact Assessments at the beginning of the design process. Finding flaws early and considering data protection as part of the design cycle can greatly reduce the risk of a significant Meta-style breach.

It is a reminder that comes just too late for Twitter.  Meta’s competitor was the victim of its very own data breach resulting from account scraping last week. The Meta fine may signal the likely approach for any investigation into whether Twitter protects privacy by design: and these principles will now be squarely in the sights of regulators around the globe.

 

Link to article