Administrative fine in the amount of 265 million euros applied by the Irish Data Protection Authority to Meta Platforms for the infringement of Article 25(1) and 25(2) of GDPR

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 265 million euros applied by the Irish Data Protection Authority (SA) to Meta Platforms for the infringement of Article 25(1) and 25(2) of GDPR.

The Irish SA commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of inquiry concerned an examination and assessment of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.

In this context it was found the infringement of Articles 25(1) and 25(2) of GDPR. The decision imposed a reprimand and an order requiring Meta Platforms to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed an administrative fine in the amount of 265 million euros to Meta Platforms.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.