EU Regulation 2016/679 - Decision Register

DECISION OF THE IRISH DPC / 25 NOVEMBER 2022 / ANNOUNCED 28 NOVEMBER 2022

Meta €265 Million DPC Fine, 2022 Facebook Data-Scraping Decision Explained

The Irish Data Protection Commission fined Meta Platforms Ireland €265 million over the Facebook data-scraping incident, finding that the contact-import and search tools breached the Data Protection by Design and Default obligations in Articles 25(1) and 25(2) GDPR.

Fine amount

€265,000,000

Issuing DPA

Irish DPC

Decision date

25 Nov 2022

Status

Final

Articles cited

25(1), 25(2)

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

DECISION SUMMARY

What happened

On 28 November 2022, Ireland's Data Protection Commission (DPC) announced a final decision, adopted on 25 November 2022, imposing a €265 million administrative fine on Meta Platforms Ireland Limited (MPIL). The decision concluded an inquiry into the Facebook "data scraping" incident, opened after a collated dataset of Facebook user data was found published on the internet in April 2021. The inquiry examined whether Meta had complied with its obligation to build data protection into the design of the affected features.

The scope of the inquiry covered the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools, and the processing carried out by MPIL between 25 May 2018 (the date the GDPR took effect) and September 2019. During that period, third parties abused those tools to match very large lists of phone numbers against user profiles, enabling them to compile personal data on more than 500 million users from over 100 countries. The compiled dataset included names, Facebook IDs, phone numbers, locations, dates of birth and email addresses.

The incident was not a conventional security breach in which an attacker penetrated Facebook's systems. The data was assembled by exploiting features working as built, at scale, because those features lacked adequate safeguards against enumeration and bulk matching. The DPC's inquiry therefore centred on Data Protection by Design and Default rather than on the security-of-processing obligation in Article 32.

What the DPC found

The decision recorded findings of infringement of Articles 25(1) and 25(2) GDPR. Article 25(1) requires a controller, both at the time of determining the means of processing and at the time of processing itself, to implement appropriate technical and organisational measures designed to implement the data-protection principles effectively and to integrate the necessary safeguards into the processing. Article 25(2) requires that, by default, only personal data necessary for each specific purpose is processed, including limits on the amount of data collected, the extent of processing, the storage period and accessibility.

The DPC concluded that Meta's contact-import and search features did not meet either obligation. The features allowed identifiers such as phone numbers to be matched to profiles at a scale and with a default accessibility that exposed large volumes of personal data to collection by third parties. Effective measures, such as default-private settings, rate limiting and controls on bulk enumeration, were not built in by design or applied by default during the relevant period. Because the deficiencies were in the design and default configuration of the processing, they fell squarely within Article 25.

The corrective measures and the fine

Alongside the €265 million fine, the DPC imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a set timeframe. Article 25 infringements are assessed under the lower tier of Article 83(4), which caps fines at €10 million or 2% of total worldwide annual turnover, whichever is higher. Given Meta's scale, the 2% turnover ceiling sat well above €265 million, so the amount reflects the DPC's Article 83(2) assessment of the gravity and duration of the infringement and the very large number of affected data subjects, rather than the statutory cap.

Where this sits among the Meta decisions

The data-scraping fine is one of a series of large DPC decisions against Meta entities. It is distinct from the WhatsApp transparency fine (€225 million, 2021), the Instagram children's-data fine (€405 million, 2022), the contractual-basis fines on Facebook and Instagram (€390 million combined, 2023) and the €1.2 billion transfers fine (2023). The data-scraping case is the leading Article 25 decision in that group: it is about how a product is built, rather than the lawful basis for advertising or the legality of international transfers. Each of these prior decisions counts as a relevant previous infringement under Article 83(2)(e) when later Meta fines are assessed.

What this decision tells controllers

The practical lesson is that Data Protection by Design and Default is an enforceable obligation with nine-figure exposure, not an aspirational principle. Any feature that lets a user look up, match or enumerate other people by an identifier (phone number, email, user ID) must be designed against abuse from the outset: default-private visibility, rate limiting, anomaly detection and minimisation of the data returned. Controllers should treat adversarial misuse of legitimate features as a foreseeable risk that Article 25 makes them responsible for, and should document the by-design and by-default safeguards as part of the data-protection impact assessment for any such feature.

FREQUENTLY ASKED

About the Meta €265 million data-scraping fine

Why was Meta fined €265 million?
The Irish Data Protection Commission fined Meta Platforms Ireland €265 million on 25 November 2022 over the Facebook data-scraping incident. The DPC found that Meta had failed to implement Data Protection by Design and Default as required by Articles 25(1) and 25(2) GDPR, so that contact-import and search tools could be abused to compile a dataset of more than 500 million users' personal data, which was later published online.
What was the Facebook data-scraping incident?
Between May 2018 and September 2019, third parties abused Facebook's search, Facebook Messenger Contact Importer and Instagram Contact Importer tools to match large lists of phone numbers to user profiles, scraping data on more than 500 million users. The compiled dataset, which included names, Facebook IDs, phone numbers, locations, birth dates and email addresses, was found published on a hacking forum in April 2021. The breach was not a system hack but the abuse of features that lacked adequate safeguards by design.
Which GDPR articles did the fine concern?
The decision recorded infringements of Articles 25(1) and 25(2) GDPR, the Data Protection by Design and by Default obligations. Article 25(1) requires controllers to build appropriate technical and organisational measures into processing from the design stage; Article 25(2) requires that, by default, only personal data necessary for each specific purpose is processed. The DPC found Meta's contact-import and search features did not meet either obligation.
Did the EDPB get involved in the €265 million fine?
The DPC submitted a draft decision to the other concerned supervisory authorities under Article 60, and the matter was resolved through that cooperation process. The €265 million figure reflects the DPC's own assessment of the Article 83(2) factors. This distinguishes it from the Meta €1.2 billion transfers fine, where the European Data Protection Board issued an Article 65 binding decision instructing the DPC to raise the amount.
What does the data-scraping decision mean for product design?
The decision establishes that scraping enabled by a product's own features is a Data Protection by Design failure, not merely third-party misconduct. Controllers offering contact-matching, search-by-identifier or enumeration features must build in rate limiting, default-private settings, and abuse monitoring from the design stage. Article 25 makes the controller responsible for foreseeable misuse of its own tools, so privacy-by-design reviews need to model adversarial use, not just intended use.

CROSS-REFERENCES

Related entries on this register

SUPERVISORY AUTHORITY

Irish Data Protection Commission (DPC)

The lead supervisory authority for Meta and the other Big Tech entities headquartered in Dublin.

Open reference →

ARTICLE 32 & 25

Security of Processing and Privacy by Design

How the security and by-design obligations differ, and why this case turned on Article 25 rather than Article 32.

Open reference →

RELATED CASE

Meta €1.2 Billion DPC Fine (2023)

The largest of the Meta decisions: unlawful EU-US transfers under Article 46.

Open reference →

RELATED CASE

Instagram €405M DPC Fine (2022)

Issued the same year, concerning the public exposure of children's contact details.

Open reference →

METHODOLOGY

How GDPR Fines Are Calculated

The Article 83 calculation walkthrough used in every decision summary on this register.

Open reference →

REGISTER

Full Decision Register

Every major GDPR fine indexed by company, country, year and violation type.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of June 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28