Facebook Opposes Irish Data Watchdog's 265-Million-Euro FineHigh Court Says Facebook Can Pursue Litigation Against Data Protection Commission
Facebook is asking Ireland's High Court to quash a 265-million-euro fine levied by the country's data privacy watchdog in November after the phone numbers and other profile information of more than half a billion users appeared online.
A High Court justice granted Facebook permission to pursue litigation over the fine from the Irish Data Protection Commission, reported The Irish Times on Monday. The company seeks a ruling that parts of the country's data protection statute are unconstitutional and says the commission lacked authority to impose a 265-million-euro fine - a "sanction so severe as to be criminal in nature," the newspaper reported.
A user of the now-shuttered BreachForums in April 2021 posted a data set of 533 million Facebook profiles, including mobile numbers, email addresses and names scraped from the site in 2018 and 2019. Facebook said the bad actors had exploited a technique it curtailed in 2019. The Irish Data Protection Commission determined that Facebook had run afoul the "data protection by design and default" requirement mandated by Europe's General Data Protection Regulation and Irish law.
Facebook is arguing that the requirement applies to its own actions and that it shouldn't be used to punish it for the abusive conduct of third parties.
"It just doesn't seem like a great argument," said Antoin O Lachtnain, director of Digital Rights Ireland, when reached by phone by Information Security Media Group. The Irish Data Protection Commission never determined whether the scraping caused injury, just that Facebook hadn't complied with a technical requirement of the GDPR, he said. European data protection laws allow fines up to 4% of a firm's global revenue, he added.
Facebook reported revenue of $23 billion in 2022 and $39 billion in 2021. For Facebook, a 265-million-euro fine "is just a number. It's not really a very big fine in context," he said.
Digital Rights Ireland earlier this year challenged the Irish Data Protection Commission in court by arguing that the commission should have found Facebook liable for the scraped information.
The civil society group and the commission settled in February, and the commission agreed to consider a complaint filed by Digital Rights Ireland seeking a finding of liability.
With reporting by ISMG's David Perera in Washington, D.C.