Organisations must prioritise privacy by design as supervisory bodies are increasing enforcement efforts. The Irish Data Protection Commission (DPC) fined Meta significantly for processing the personal data of Facebook users in violation of GDPR after an investigation found deficiencies in their compliance with the privacy by design requirement. Organisations risk ignoring privacy by design at their peril as supervisory authorities make it a practical need by issuing fines and taking it more seriously.

Why Meta’s battle with data protection authorities matters to privacy by design

Meta (previously Facebook) is a company that owns and operates some of the largest social media networks in the world, with a large chunk of the world’s population active on at least one of their platforms, including Facebook, Instagram and WhatsApp. They have come under fire from several data protection authorities worldwide in recent years, notably in Ireland, where they have chosen to incorporate their European headquarters in Dublin. Meta’s products have substantial privacy implications, and regulatory decisions against them have the potential to affect many organisations across multiple industries.

Privacy by design is a central part of modern data protection laws and calls upon those designing and implementing projects involving personal data to take steps to consider privacy issues from the outset. Historically, the concept was usually theoretical, with few supervisory authorities enforcing it meaningfully. However, this is starting to change, and organisations need to take note or risk attracting significant fines and other penalties.

Enforcement action against Meta is at the cutting edge of privacy by design regarding data protection.

How the Irish DPC decided to fine Meta

The IDPC issued Meta a fine of 265 million euros in November 2022 after finalising an investigation into how Meta was processing the personal data of their data subjects in terms of the GDPR. The incident involved more than five hundred million Facebook users, and the personal data included their contact information in the form of email addresses and phone numbers. The DPC also required Meta to take remedial steps within a certain period.

The incident began when the media reported that someone leaked a Facebook dataset to a hacking website. In response, the DPC started their investigation in April 2021. The dataset consisted of personal data scraped from users’ public profiles between 2018 and 2019.

The DPC investigated how well Meta was complying with the GDPR and found them deficient when applying the principle of Privacy by Design (PbD) in Article 25 because they did not have sufficient technical and organisational measures to prevent unauthorised access to personal data. They found that Meta could have implemented measures such as ‘captchas’ and rate limiting to prevent bad actors from scraping the data. Still, they failed to do so – without any explanation as to why they could not afford to do so or it was otherwise inappropriate. The DPC also took a dim view into the privacy of users’ phone numbers not being set to private by default, which would have prevented this information from being scraped in the first place.

What we can learn from Meta’s shortcomings in privacy by design

Privacy by design is fast going from something that supervisory authorities talk about in the abstract as a lofty goal to something practical where they can fine organisations for not implementing it properly. Some critics say that fines will not prompt organisations to implement privacy by design because they may just add the fines to their budgets as a business cost. However, the more fines supervisory authorities issue related to privacy by design and the more seriously they take it, the more foolish organisations would be to ignore it.

Actions you can take