In order to punish Meta for failing to stop hackers from stealing personal information from more than 500 million Facebook users in a 2019 data leak, Ireland’s data privacy authorities levied a fine of over $275 million.
With Monday’s announcement, the Irish Data Protection Commission, the principal privacy watchdog in charge of policing Meta’s operations in Europe, imposed a fine for the fourth time in roughly a year on Facebook (FB)’s parent company. The commission stated that the decision to issue the fine was made last Friday.
Since the fall of 2021, Ireland’s DPC has slapped Meta with 912 million euros in fines, going after the social media titan and its other subsidiaries, Instagram and WhatsApp, for alleged violations of Europe’s signature data privacy law, known as the General Data Protection Regulation (GDPR).
The second-largest GDPR fine in history was levied against Meta earlier this fall for Instagram’s handling of children’s data, totaling 405 million euros. Other enforcement efforts resulted in fines of 17 million euros and 225 million euros, respectively, in March 2022 and September 2021.
In a statement Monday, a Meta spokesperson said it was reviewing the DPC’s decision “carefully” and that it had cooperated fully with the agency’s investigation.
After Business Insider revealed that the personal information of more than a billion Facebook users had been exposed on a dark web hacker website, the investigation got under way in April of last year.
Facebook claimed at the time that hostile actors had misused its contact importer tool to compare known phone numbers to Facebook user profiles before extracting more data from those profiles.
“Protecting the privacy and security of people’s data is fundamental to how our business works,” Meta said in Monday’s statement. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”
The Irish DPC’s decision comes amid broad criticism by privacy advocates that regulators have moved slowly and hesitantly to enforce GDPR, which went into effect in 2018.
The largest GDPR fine to date was imposed last year on Amazon (AMZN) for 746 million euros by privacy regulators in Luxembourg who said the way the e-commerce company processes personal data does not comply with the law. Amazon (AMZN) is fighting the penalty.