Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating data privacy laws. Following is the latest incident when the regulators fined Meta for not protecting the privacy of its users.
Recently, the Irish data watchdog Data Protection Commission (DPC) fined Facebook’s owner about $277 million after it discovered a breach that led to details of over 500 million users getting published online. The Data Protection Commission (DPC) mentioned that Meta infringed upon two articles of the EU’s data privacy laws after malicious actors scraped details of Facebook users worldwide from their public profiles in 2018 and 2019.
The DPC that regulates Meta across the EU discovered the data on a hacking website last year and thus launched an investigation into the incident. DPC says that a large number of the affected users were from the EU.
Not Just A Fine
Additionally, the Privacy watchdog imposed a “reprimand and order” on Meta, requiring it to take particular remedial actions within a specified timeframe and bring its data processing into compliance.
In a statement, Meta explained: “We made certain changes to our systems during the mentioned time, including removing the ability of a person to scrape our features using phone numbers. We consider unauthorized data scraping against our rules and unacceptable.”
What is Data Scraping?
Data scraping, also called web scraping, is the process through which threat actors extract data from websites. While a user can manually do data scraping, hackers commonly use automated tools. Such tools can extract data from various web pages simultaneously and save it in a format for further analysis.
Threat actors use data scraping to collect data about products, reviews, prices and more. They can also use it to fill out forms automatically or gather contact information from websites. The company, earlier called Facebook, said the data was gathered by what it said were threat actors who misused a Facebook feature called “Contact Importer”.
They uploaded a massive volume of phone numbers on the site to see which ones matched its users. On Monday, Meta reiterated that it had removed the feature to use phone numbers for scraping its services in such a way in 2019.
The latest fine is among many that Meta faces for data privacy issues. DPC has fined Meta over $1 billion since September last year. In September 2021, Meta received another fine of over $400 million for allowing teenagers to set up Instagram accounts and publicly display their email addresses and phone numbers. Furthermore, in March 2022, the privacy watchdog fined Meta about $17 million for additional GDPR breaches, including a $225 million fine on Meta’s WhatsApp for “serious” and “severe” GDPR infringements.
How Can Organizations Remain GDPR Compliant and Avoid Such Fines?
Such incidents highlight the need for organizations to focus on various data privacy laws to safeguard their users against breaches. For starters, they must know the critical articles and concepts regarding GDPR. Remaining GDPR compliant doesn’t merely involve “fixing a website”; it must be an integral part of the organization. Following are the steps businesses can take:
- Data mapping: A crucial step towards remaining GDPR compliant is understanding how data moves within your organization. You can document the information flow in your enterprise by making an inventory. A data map can be a good starting point, which will help demonstrate that you comply.
- Privacy Policy: You must regularly Review and update your Privacy Policy. It is the first place data privacy watchdogs look to check if you are GDPR compliant.
- Training: The GDPR is a project that demands business change – your employees must understand the importance of data protection and phishing protection on GDPR’s fundamental principles and procedures implemented for compliance.
- Report data breaches: You must implement the proper procedures to detect, investigate and report internal and external data breaches. According to GDPR guidelines, you must report a breach to the Supervisory Authority within the first 72 hours unless personal data is anonymized or encrypted.
About Data Protection Commission (DPC)
The DPC regulates Google, Apple, TikTok and other technology platforms and has its EU headquarters in Ireland. It is currently processing 40 open inquiries into such technology giants, including 13 involving Meta. The Irish regulator recently issued a statement that other relevant EU regulators agreed with its decision on Monday regarding a draft ruling under the bloc’s “one-stop shop” method of regulating large multinationals.
The EU is tightening regulation on big tech companies. The bloc recently passed, and is starting to implement, two new laws for big tech companies—one aims to limit potentially anticompetitive conduct and another which requires them to demonstrate they have robust content-moderation systems.
According to EU officials, the Tech giants are currently in talks with the EU’s executive arm, the European Commission, to determine which new laws will apply to the specific services they provide. The new laws’ elements will get enforced in the middle of next year.
Meta is not the only technology giant facing scrutiny. Last year, regulators in Luxembourg fined Amazon nearly $750 million over its advertising. In January, French regulators fined Google about $150 million because its users did not get an acceptable way to decline the cookie trackers used by online advertisers for tracing a person’s internet browsing history.
Final Words
Businesses must acknowledge that remaining transparent about using and protecting user data is a legal requirement today. Each organization (including public sector entities and charities) must define a scope to collect specific data. As evident from the massive fine regulators slapped on Meta and other technology giants, organizations must make data privacy inherent to their operations or risk paying enormous penalties. They must only collect personal information required to offer a service or product, nothing else. Also, they must not share the data for other unrelated purposes.