|

After €900m in fines, Meta faces 13 open investigations by Irish regulator

After €900m in fines, Meta faces 13 open investigations by Irish regulator

Ireland’s data protection authority currently has 13 open investigations into Meta, The Media Leader has learned, following last week’s quarter-billion fine against the parent company of Facebook, Instagram and WhatsApp.

The Irish Data Protection Commission (DPC) is closely aligned with the European Data Protection Board (EDPB), which indicated in its latest agenda statement for 5 December there would be three forthcoming decisions on drafts made by the DPC on separate “disputes arisen” between Meta Platforms Ireland and its Facebook service, its Instagram service and its WhatsApp Ireland Limited respectively.

These decisions could result in further fines of millions of euros for concerns around the data privacy of Irish and EU citizens.

The DPC has made four decisions regarding the tech giant since September 2021, resulting in fines totalling €912m and “a range of corrective measures” being implemented.

The regulator confirmed to The Media Leader there are 13 open investigations into the company (full details below).

The most recent €265m administrative fine from the DPD was a result of a “data scraping inquiry” which found 500 million users’ personal data were published online during the period between 2018 and 2019. The DPC found Meta to have infringed two EU GDPR articles.

Data scraping is the automated collection of data from a website or app and can affect companies of all sizes.

A Meta spokesperson told The Media Leader: “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”

The UK’s competition watchdog, the Competition and Markets Authority (CMA), also currently has three separate open investigations into Meta under different frameworks and laws; one into its use of data, one into its proposed merger with Giphy and one about a potential anticompetitive agreement with Google.

Additionally, another investigation into fake reviews is ongoing.

These prospective decisions being imposed come as Meta and other tech platforms come under new scrutiny in the reading of the Online Safety Bill, particularly with regard to safeguarding youth against “legal but harmful content”, and the company laid off 11,000 staff in cost-cutting measures.

Details of the DPC’s open investigations into Meta

Facebook Ireland Limited

27 July 2018: Following a complaint, the DPC commenced an assessment of Facebook’s refusal of the complainant’s Article 15 (right of access by the data subject) and Article 20 (right to data portability) requests.

20 August 2018: Following a complaint, the DPC commenced an assessment of Facebook Ireland Limited’s lawful basis for processing and transparency in respect of the Terms of Service and Data Policy of the ‘Facebook’ service. This concerns Article 6 – lawfulness of processing, Article 7 — conditions for consent, Article 12 — Transparent information, and Article 13 — information to be provided where personal data are collected from the data subject.

20 August 2018: Following a complaint, the DPC commenced an assessment of the validity of legal bases for processing personal data for the purposes of targeted advertising and profiling. This concerns Article 6 — lawfulness of processing.

3 October 2018: The DPC commenced an own volition inquiry concerning Facebook Inc. Token breach reported by Facebook Ireland in September 2018. The inquiry concerns Article 5 – principles relating to processing of personal data, Article 24- responsibilities of the controller, Article 25 — data protection by design and default, Article 28 – processor, Article 29 – processing under authority of data controller or data processor, Article 30 — records of processing activities, Article 32 — security of processing, Article 33 – notification of a personal data breach to the supervisory authority, and Article 34 — communication of a personal data breach to the data subject.

18 October 2018: The DPC commenced an own volition assessment of Facebook Ireland Limited’s compliance with Article 33 of the GDPR in respect of the Token Data Breach notified to the DPC. The inquiry concerns Article 33 – notification of a personal data breach to the supervisory authority.

24 April 2019: The DPC commenced an own volition examination and assessment of whether or not Facebook Ireland Limited has complied with its obligations under the GDPR, in particular under Articles 5(1)(f)(appropriate security when processing), 32 (Security of Processing) and 33 (Notification of Personal Data Breach), in connection with the processing of personal data in the context of the Passwords Issue (issue is that user passwords were held in plain text format rather than in hashed and salted format).

Facebook Ireland Limited / Instagram

20 August 2018: Following a complaint, the DPC commenced an assessment of Facebook Ireland Limited’s lawful basis for processing and transparency in respect of the Terms of Use and Data Policy of the ‘Instagram’ service. This concerns Article 6 – lawfulness of processing, Article 7 — conditions for consent, Article 12 — transparent information, and Article 13 — information to be provided where personal data are collected from the data subject.

21 September 2020: The DPC commenced an own volition inquiry concerning the processing by Facebook Ireland Limited in the context of personalised advertising and child users of the Instagram service. The inquiry considers the range of different legal bases relied on by Facebook Ireland Limited for personalised advertising shown to child users, and also considers whether Facebook Ireland Limited processes special category personal data, and issues relating to transparency. The inquiry concerns Article 6 – lawfulness of processing, Article 9 — processing special categories of personal data, Article 12 — transparent information, and Article 13 — information to be provided where personal data are collected from the data subject.

Meta Platforms Ireland Limited

28 August 2020: The DPC commenced an own volition inquiry into data transfers from the EU to US. The inquiry concerns Article 46 – transfers subject to appropriate safeguards and Article 49 — derogations for specific situations.

18 June 2021: Following a complaint, the DPC commenced an inquiry regarding data transfers from the EU to US. The inquiry concerns Article 46 — transfers subject to appropriate safeguards and Article 49 — derogations for specific situations.

WhatsApp Ireland Limited

20 August 2018: Following a complaint, the DPC commenced an assessment of WhatsApp’s lawful basis for processing and transparency in respect of the Terms of Service and Privacy Policy of the ‘WhatsApp’ application. The inquiry concerns Article 6 – lawfulness of processing, Article 7 — conditions for consent, Article 12 — transparent information, and Article 13 — information to be provided where personal data are collected from the data subject.

2 November 2021: Following a complaint, the DPC commenced an inquiry examining whether WhatsApp’s handling of access and portability requests is complaint with the GDPR and with the Data Protection Act 2018. The inquiry concerns Article 5 – principles relating to processing of personal data, Article 6 — lawfulness of processing, Article 12 — transparent information, Article 15 – right of access by the data subject, Article 20 – right to data portability, and Article 25 – data protection by design and default.

8 September 2022: Following a complaint, the DPC commenced an inquiry in relation to Article 12 — transparent information and Article 20 – right to data portability.

 

Media Jobs