General Data Protection Regulation (GDPR) , Legislation & Litigation , Standards, Regulations & Compliance

Facebook Opposes Irish Data Watchdog's 265-Million-Euro Fine

High Court Says Facebook Can Pursue Litigation Against Data Protection Commission
Facebook Opposes Irish Data Watchdog's 265-Million-Euro Fine
Facebook's European headquarters building in Dublin's Grand Canal Dock in a photo taken in June 2019 (Image: Shutterstock)

Facebook is asking Ireland's High Court to quash a 265-million-euro fine levied by the country's data privacy watchdog in November after the phone numbers and other profile information of more than half a billion users appeared online.

See Also: Webinar | Using the NIST Privacy Framework to Solve Common Data Privacy Problems

A High Court justice granted Facebook permission to pursue litigation over the fine from the Irish Data Protection Commission, reported The Irish Times on Monday. The company seeks a ruling that parts of the country's data protection statute are unconstitutional and says the commission lacked authority to impose a 265-million-euro fine - a "sanction so severe as to be criminal in nature," the newspaper reported.

A user of the now-shuttered BreachForums in April 2021 posted a data set of 533 million Facebook profiles, including mobile numbers, email addresses and names scraped from the site in 2018 and 2019. Facebook said the bad actors had exploited a technique it curtailed in 2019. The Irish Data Protection Commission determined that Facebook had run afoul the "data protection by design and default" requirement mandated by Europe's General Data Protection Regulation and Irish law.

Facebook is arguing that the requirement applies to its own actions and that it shouldn't be used to punish it for the abusive conduct of third parties.

"It just doesn't seem like a great argument," said Antoin O Lachtnain, director of Digital Rights Ireland, when reached by phone by Information Security Media Group. The Irish Data Protection Commission never determined whether the scraping caused injury, just that Facebook hadn't complied with a technical requirement of the GDPR, he said. European data protection laws allow fines up to 4% of a firm's global revenue, he added.

Facebook reported revenue of $23 billion in 2022 and $39 billion in 2021. For Facebook, a 265-million-euro fine "is just a number. It's not really a very big fine in context," he said.

Digital Rights Ireland earlier this year challenged the Irish Data Protection Commission in court by arguing that the commission should have found Facebook liable for the scraped information.

The civil society group and the commission settled in February, and the commission agreed to consider a complaint filed by Digital Rights Ireland seeking a finding of liability.

With reporting by ISMG's David Perera in Washington, D.C.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.