The information stolen from the platform had been published on an underground forum and contained the names, telephone numbers and geographical information of the affected users, referring to 2018 and 2019.
The decision of the authority was adopted on Friday and established a violation of Articles 25(1) and 25(2) of the GDPR. Article 25 deals with the concept of privacy by design and default: that is, it means that any company that uses personal data in its business must have the protection of this information in mind at every stage of designing services. Privacy must also be a default setting, and that only strictly necessary data is processed and stored.
The investigation was conducted in tandem with other European data protection authorities, all of which supported the Irish Commission's finding.
Twitter content This content can also be viewed on the site it originates from.
In 2021, Meta tried to defend itself, saying that the data shared online came from a breach two years earlier . The company added that the vulnerability that had caused the data leak had already been identified and fixed.
It is not yet clear whether Meta will appeal the Commission's decision. A spokesperson told Techcrunch that a review process of the provisions is underway. “Unauthorized data collection is unacceptable and against our rules – we will continue to work on this industry challenge,” he added.
In September 2021, Whatsapp (which is owned by Meta) was fined over two hundred and twenty million euros for violating the GDPR rules on transparency. In September of this year, however, a new sanction for the improper management of minors' data arrived.