DPC sends draft decision on Facebook data breach probe
The draft decision on the Meta investigation was sent to other EU data authorities, who have one month to review and raise any ‘relevant and reasoned objections’.
The data watchdog launched a probe into the company last year, after personal data from around 533m Facebook users was leaked online.
In a statement on 14 April 2021, the DPC said it believed that “one or more provisions” of GDPR and the 2018 Data Protection Act could have been infringed “in relation to Facebook users’ personal data”.
The investigation was launched to determine whether the social media giant complied with its personal data obligations by means of the Facebook search, Facebook Messenger contact importer and Instagram contact importer features.
DPC deputy commissioner Graham Doyle said the draft decision was submitted to other European data watchdogs on 30 September.
“This is part of the process under Article 60 of the GDPR, where the DPC sends draft decisions to other Concerned Supervisory Authorities and they have one month to review its draft decision and raise any ‘relevant and reasoned objections’ that they may have,” Doyle said.
At the time of the leak, Meta said the data came from a large-scale scraping incident that took place before the introduction of GDPR, and so it was not required to notify the DPC of the leak.
Meanwhile, Meta has lodged a High Court appeal against the €405m fine the DPC issued to Instagram last month.
This is the highest fine ever imposed by the DPC and related to breaches Instagram made in the processing of children’s data.
The data watchdog said its investigation concerned the processing of personal data related to minors and their privacy, with children’s email addresses and phone numbers being made public in some cases.
Last July, Luxembourg’s data watchdog issued a fine of €746m to Amazon for “non-compliance with general data processing principles”. This is the largest fine that has been levied under GDPR since the rules were introduced in 2018.