Why Meta Faced a €265 Million Fine Over Facebook Data Leak

On November 28, 2022, the Irish Data Protection Commission (DPC) imposed a €265 million (US$277 million) fine on Meta because the company failed to protect the personal data of more than 5 billion Facebook users, intensifying privacy enforcement against U.S. tech firms.

The penalty followed an investigation launched by European regulators on April 14, 2021, after a leak of a compiled data set of Facebook personal data already available on the internet.

The exposed data included personal information linked to 533 million users, such as phone numbers, birth dates, locations, email addresses, gender, marital status, account creation dates, and other details.

Meta acknowledged that malicious actors scraped this “old data” using a technique called “phone number enumeration,” which involved a tool named “Contact Importer” to upload large phone‑number lists and discover matching user profiles.

Beyond the fine, the Irish regulator ordered Meta’s Irish subsidiary to ensure its data processing complies with EU data‑protection law. This marks the fourth time Ireland has fined Meta and its subsidiaries, including Instagram and WhatsApp.

In September 2021, WhatsApp was fined €225 million for not disclosing how it collected and used users’ personal information. In September 2022, Instagram was fined €405 million for violating the GDPR by improperly handling minors’ online data through publicly operated business accounts’ phone numbers and email addresses.