Instagram — Enforcement
Executive Summary
The Irish DPC fined Meta €265 million for failing to protect user data 'by design and by default' under GDPR, after data of hundreds of millions of users was scraped via a vulnerability in Instagram's Contact Importer feature. The scraped data, which included phone numbers and profile information, was subsequently published online.
What Happened
On November 25, 2022, Ireland's Data Protection Commission fined Meta €265 million for violating GDPR's Data Protection by Design and Default requirements. The fine resulted from an inquiry into data scraping that occurred between May 2018 and September 2019, where attackers exploited vulnerabilities in Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools. The scraped data of 533 million Facebook users, including phone numbers, locations, birthdates, Facebook IDs, full names, and email addresses, was subsequently published on a hacking website in April 2021.
Who Is Affected
Approximately 533 million Facebook and Instagram users worldwide are affected by this data breach. The exposed information includes highly sensitive personal details such as phone numbers, email addresses, full names, locations, birthdates, and Facebook IDs from the 2018-2019 period. Meta acknowledged the data was accessed through a vulnerability that the company fixed in 2019.
Why It Matters
This €265 million fine represents the third highest penalty issued under GDPR to date and demonstrates increasingly strict enforcement of data protection regulations. The decision specifically targets Meta's failure to implement adequate technical and organizational measures to protect user data from the design stage, setting a precedent for holding platforms accountable for preventable security vulnerabilities. All EU data protection supervisory authorities agreed with this decision, signaling coordinated regulatory action across the European Union.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources
Related Events
- Instagram — EnforcementSep 27, 2024
The Irish DPC fined Meta €91 million for storing hundreds of millions of Faceboo...
- Instagram — EnforcementSep 5, 2022
The Irish DPC fined Instagram €405 million for GDPR violations related to childr...
- Instagram — EnforcementJan 4, 2023
The Irish DPC fined Meta €390 million (€210M for Facebook, €180M for Instagram) ...
- Instagram — EnforcementMay 3, 2023
The FTC proposed amending its 2020 consent order with Meta after finding the com...
- Instagram — EnforcementJul 24, 2019
The FTC imposed a record $5 billion civil penalty on Facebook for violating its ...