Facebook Hit with $277M GDPR Fine for Web Scraping Leak – What You Need to Know
Privacy & Compliance | November 29, 2022
Facebook parent company and social media giant Meta, has been hit with a 265 million euro ($277 million) fine for failing to comply with the EU’s General Data Privacy Regulation (GDPR). The fine is the largest ever imposed on Meta and the second-largest GDPR fine to date.
On November 28th, Ireland’s data privacy regulator, the Data Protection Commission (DPC), issued a decision stemming from an inquiry regarding the web scraping of Facebook user data which, alongside the multi-million euro fine also required a range of corrective measures from the company.
The DPC is responsible for regulating several high-profile tech companies such as Meta, Apple, Google, and TikTok due to the location of their EU headquarters in Ireland. Meta has been hit with four fines from the DPC, totaling nearly $1 billion euros. The DPC currently has 40 open inquiries into GDPR violations, including 12 more involving Meta.
Why Facebook is Being Fined
This penalty resulted from an investigation that started back in April 2021 after media reports that a dataset of more than 530 million Facebook users’ personal data had been made available on a hacking forum. The dataset exposed the personally identifiable information (PII) of Facebook users from 106 countries, with over 32 million records belonging to users from the US, 11 million from the UK, and 1.3 million Irish Facebook users. Data exposed included email addresses, phone numbers, full names, birthdays, and other PII.
Facebook responded to news of the leak by claiming that the data had been scraped from Facebook profiles by bad actors who abused a contact importer feature offered by the company in September 2019, which was subsequently updated to prevent abuse
The DPC’s inquiry examined several Facebook, Messenger, and Instagram contact importer and search tools offered by Facebook between the date of the implementation of the GDPR and the discovery of the leaked data, and determined that Facebook had failed to build its products in a way to stop scraping attacks from happening, and had failed to meet the GDPR requirement for Data Protection by Design and Default set forth in article 25 of the law.
“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” it added, specifying that it had examined the implementation of “technical and organizational” measures relevant to Article 25 GDPR (which deals with data protection by design and default).
Specifically, the DPC identified “infringement of Articles 25(1) and 25(2) GDPR,” which require “appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed,” and that the same obligation “applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”
The DPC said that it is also imposing corrective measures on Facebook, writing: “The decision imposed a reprimand and an order requiring MPIL [Meta Platforms Ireland Limited] to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
Facebook has been given a three-month period from the issue of the decision to comply.
What is Web Scraping?
Web scraping is the process of pulling content and data from a website, typically with automated bots programmed to recognize and extract certain data from a website. Search engines, price comparison tools, and market research companies often use web scrapers for legitimate purposes, but they’re also popular with bad actors who use the tools to build datasets to sell or leverage in other attacks.
Scraper bots can be programmed to extract data from a website’s HTML or from connected APIs and databases, but they can also be programmed to interact with a website in the manner that a real user would in order to fool site owners and thwart detection efforts.
Meta’s Ongoing Fight Against Web Scrapers
Automated data collection without permission is a violation of Facebook’s terms of service, and the company has made frequent attempts to crack down on the practice.
Meta has taken extensive legal action against ‘legal’ web scraping companies. In October 2020, the company sued two web scraping firms, which settled for a “significant sum” in 2022. Meta also took legal action against two more scraping-for-hire firms in July 2022.
Facebook also claims to have implemented significant security measures to fight data scraping. The company says it has stood up an External Data Misuse (EDM) team made up of more than 100 people and has applied rate and data limits and data limits to make scraping more difficult. These controls limit the speed and frequency of interactions with Facebook products to block automated tools from quickly gathering large quantities of information. Facebook analysts also examine traffic and behavior patterns to detect and block automated activity.
These measures may not be enough, though, as stolen datasets from Meta properties continue to appear on the dark web. On November 16th, an ad posted on a popular hacking forum offered a 2022 database of 487 million WhatsApp user mobile numbers for sale.
According to the ad, the dataset contains user data from 84 countries, including 32 million US user records, 35 million Italian user records, and 20 million French user records.
Mounting Fines Raise Privacy Pressure on Big Tech
This fine is just the latest in a string of large fines levied against Meta and other leading tech companies since the implementation of the GDPR in 2018.
In the last year alone, the DPC has hit Meta with nearly $1 billion euros in fines. The regulator first sanctioned WhatsApp 225 million euros ($267 million) for giving users inadequate information regarding the processing of personal data in September 2021, then followed up with a 17 million euro ($18.6 million) fine against Facebook for poor handling of data breach notifications.
And in September 2022, the DPC issued 405 million euro fine against Instagram for violating children’s data protection fine against Meta’s Instagram concerning the lawfulness of processing data as well as “public-by-default” processing of data from users aged 13-17.
Other EU enforcement authorities have also targeted Facebook. In January 2022, France’s CNIL fined Facebook, Google, and YouTube a combined $210 million euros because their French websites failed to give visitors the option to easily decline tracking, despite offering them a one-button option to ‘accept all’ cookies–a violation of the EU’s ePrivacy Directive.
But Facebook is not the only one feeling the pressure. Regulators have handed out an average of 50 fines have been every month, with a total of 1345 as of November 2022, and have hit companies like Amazon and Google with massive fines. Amazon, for example, was fined $887 million in July 2021 for the improper gathering of user consent, the largest GDPR fine to date.
And while high-profile, multinational companies like Amazon, Google, and Facebook have faced much larger fines, enforcement actions against small and mid-sized businesses have also been increasing.