"Unacceptable" data scraping lands Meta a £228m data protection fine

The Meta logo shown on a phone, in front of an orange to purple gradient bearing smaller versions of the logo
(Image credit: Getty Images)

Meta has been fined €265m (£228m) by the Irish Data Protection Commission (DPC), following a prolonged inquiry into a data scraping incident.

The DPC imposed a reprimand against Meta, leveraged the administrative fine against the firm, and ordered it to take specific remedial measures within a specific time frame in order to bring its processing of personal data into compliance with EU law.

The decision comes after a 17-month inquiry into the company, after it was discovered that personal data from the Facebook accounts of 533 million users was publicly available on a hacking forum.

This had been scraped from Facebook between May 2018 and September 2019 through the use of tools intended to link users to their friends using phone numbers.

As part of its decision, the DPC did not find that the incident constituted a hack, data breach, or security practice failing. In a press release on the decision, the DPC stated that the inquiry and decision process included “cooperation with all of the other data protection supervisory authorities within the EU”, and that all agreed on the final decision.

"Protecting the privacy and security of people’s data is fundamental to how our business works,” a Meta spokesperson told IT Pro.

“That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue. We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.


Five common data security pitfalls

Learn how to improve your security posture


“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”

The decision has brought the total amount that Meta has paid in data privacy fines within Europe to €1 billion (£863,000), with the DPC having ordered Meta subsidiary Instagram to pay a record €405 million in September for a violation of GDPR involving data processing for the platform’s 13-17-year-old users. The commission found that children in this age range could set up business accounts, set to 'public' by default.

“Meta is on a losing streak,” said Sarah Coop, analyst at data and analytics company GlobalData.

“Privacy breaches damage consumer trust, which is already dwindling for Meta. Its central social media platform, Facebook, is struggling to attract younger users due to strong competition from other platforms like TikTok. The company has also reportedly lost $9.4 billion on its metaverse business unit and has recently restructured, laying off 11,000 employees.”

“GDPR fines are simply collateral damage for Big Tech. While fines can be large, at up to 4% of global turnover, most Big Tech consider it the cost of doing business. However, consumer confidence will be important for the metaverse, and cybersecurity breaches and data privacy fines further taint Meta’s already tarnished reputation.”

However, some in the industry have pointed out that the mishandling of personal data is far from a problem unique to Meta.

“Meta should not be the scapegoat of those worried about misuse of personal data,” said Paul Brucciana, cyber security advisor at WithSecure

“4.1 billion records leaked in the first 6 months of 2019 alone. In a recent poll of 1,000 US companies, nearly half (45%) claim they have faced a major data breach within the past five years. The situation is unlikely to be less grave anywhere else.”

In addition to following the decision made by the DPC, Meta has outlined a number of practices that it has already implemented in order to tackle data scraping on its platforms.

The firm has employed tactics such as rate limiting to prevent scrapers from using platforms at an abnormal speed, automated tools for investigation, and hunting down datasets with the help of threat intelligence researchers.

Meta stated that users can tailor their privacy settings to limit the amount of data visible on their profile, which in turn reduces data misuse.

The fine comes amidst a record low for Meta’s finances. In October, the company’s earnings call painted a bleak picture, with net income down 52% against a 19% surge in spending.

The firm’s commitment to developing metaverse tech, driven in no small part by CEO Mark Zuckerberg, has led to record spending by the company on its Reality Labs division, with almost $10 billion allocated this year alone, and more locked in for 2023.

Since its earnings call, Meta has cut 11,000 staff amidst calls by Zuckerberg for a more capital-efficient company. The firm has admitted that its growth has not hit the anticipated targets, and Zuckerberg has indicated that its current financial situation is down to a mixture of macroeconomic factors and an overly-optimistic investment strategy.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.