Meta fined €265M for not protecting Facebook users' data from scrapers

Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for a massive 2021 Facebook data leak exposing the information of hundreds of million users worldwide.

This concludes the DPC's investigation of potential GDPR violations by Meta, launched on April 14, 2021, following the publishing of data belonging to 533 million Facebook users on a hacker forum.

The exposed data included personal information, such as mobile numbers, Facebook IDs, names, genders, locations, relationship statuses, occupations, dates of birth, and email addresses. 

All of this data was shared on a well-known hacking forum, allowing the data to be used by threat actors for targeted attacks.

Facebook at the time said threat actors collected the data by exploiting a flaw in its "Contact Importer" tool to associate phone numbers with a Facebook ID and then scraping the rest of the information to build a profile for the user.

The platform said they had fixed the bug in 2019, and the data was collected before that.

DPC's investigation concluded that Meta (then Facebook) infringed Articles 25(1) and 25(2) of the GDPR, summarized as follows:

• 25(1) - The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.

• 25(2) - The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU,” reads the DPC announcement.

“Those supervisory authorities agreed with the decision of the DPC.”

Data scraping

Data scrapers are automated bots that exploit open network APIs of platforms that hold user data, like Facebook, to extract publicly available information and create massive databases of user profiles.

While no hacking is involved, the data sets collected by scrapers can be combined with data from multiple points (sites), creating complete profiles on users, hence making their tracking from marketers or targeting from threat actors a lot more effective.

However, in Meta's case, the threat actors used a flaw in the Contact Importer on Facebook and Instagram to link phone numbers with this publicly scraped information, allowing them to create profiles containing private and public information.

Scraping is against the policies of most online platforms, but enforcing these rules is technically complicated, as it was recently highlighted with TikTok and WeChat.

LinkedIn took things to court to prevent data scraping on the platform, securing an injunction against legal scraper operators and preventing them from using data they already collected in this manner.

The DPC is considered the spearhead of GDPR compliance in the EU due to many tech companies operating from Ireland, so its decision is bound to create turbulence for other big data controllers, forcing them to re-evaluate their anti-scraping mechanisms.