--- title: "GDPR Non-Compliance: Meta Fined $277m For Exposing Over 500 Million Users’ Data | Phish Protection" description: "Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating data privacy laws." image: "https://phishprotection.com/og/blog/gdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data.png" canonical: "https://phishprotection.com/blog/gdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data/" --- Quick Answer Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating \*\*data privacy laws\*\*. Following is the latest incident when the regulators fined Meta for not protecting the privacy of its users. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fgdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=GDPR%20Non-Compliance%3A%20Meta%20Fined%20%24277m%20For%20Exposing%20Over%20500%20Million%20Users%26%238217%3B%20Data&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fgdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fgdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fgdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data%2F&title=GDPR%20Non-Compliance%3A%20Meta%20Fined%20%24277m%20For%20Exposing%20Over%20500%20Million%20Users%26%238217%3B%20Data "Share on Reddit") [ ](mailto:?subject=GDPR%20Non-Compliance%3A%20Meta%20Fined%20%24277m%20For%20Exposing%20Over%20500%20Million%20Users%26%238217%3B%20Data&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fgdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/11/how-to-prevent-phishing-3472.jpg) Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating **data privacy laws**. Following is the latest incident when the regulators fined Meta for not protecting the privacy of its users. Recently, the Irish data watchdog **Data Protection Commission (DPC)** fined Facebook’s owner about $277 million after it discovered a breach that led to details of over 500 million users getting published online. The [Data Protection Commission (DPC)](https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry) mentioned that Meta infringed upon two articles of the EU’s data privacy laws after malicious actors scraped details of **Facebook users** worldwide from their public profiles in 2018 and 2019. The DPC that regulates Meta across the EU discovered the data on a hacking website last year and thus launched an investigation into the incident. DPC says that a large number of the affected users were from the EU. ### Not Just A Fine Additionally, the Privacy watchdog imposed a **“reprimand and order”** on Meta, requiring it to take particular remedial actions within a specified timeframe and bring its data processing into compliance. > In a statement, Meta explained: “We made certain changes to our systems during the mentioned time, including removing the ability of a person to scrape our features using phone numbers. We consider unauthorized **data scraping** against our rules and unacceptable.” \*\* \*\* ### What is Data Scraping? Data scraping, also called [web scraping](https://www.geeksforgeeks.org/what-is-web-scraping-and-how-to-use-it/), is the process through which threat actors **extract data** from websites. While a user can manually do data scraping, hackers commonly use automated tools. Such tools can extract data from various web pages simultaneously and save it in a format for further analysis. Threat actors use data scraping to collect data about products, reviews, prices and more. They can also use it to fill out forms automatically or gather contact information from websites. The company, earlier called Facebook, said the data was gathered by what it said were threat actors who misused a Facebook feature called **“Contact Importer”**. They uploaded a massive volume of phone numbers on the site to see which ones matched its users. On Monday, Meta reiterated that it had removed the feature to use phone numbers for scraping its services in such a way in 2019 . The latest fine is among many that Meta faces for data privacy issues. DPC has fined Meta over $1 billion since September last year. In September 2021, Meta received another fine of over $400 million for allowing teenagers to set up Instagram accounts and publicly display their email addresses and phone numbers. Furthermore, in March 2022, **the privacy watchdog** fined Meta about $17 million for additional GDPR breaches, including a $225 million fine on Meta’s WhatsApp for “serious” and “severe” GDPR infringements. ### How Can Organizations Remain GDPR Compliant and Avoid Such Fines? Such incidents highlight the need for organizations to focus on various data privacy laws to safeguard their users against [breaches](/blog/what-will-happen-if-you-breach-data-privacy-laws/). For starters, they must know the critical articles and concepts regarding GDPR. Remaining GDPR compliant doesn’t merely involve **“fixing a website”**; it must be an integral part of the organization. Following are the steps businesses can take: ![How to prevent phishing](https://media.mailhop.org/phishprotection/images/2022/11/how-to-prevent-phishing-3472.jpg) - **_Data mapping:_**A crucial step towards remaining GDPR compliant is understanding how data moves within your organization. You can document the information flow in your enterprise by making an inventory. A data map can be a good starting point, which will help demonstrate that you comply. - **_Privacy Policy:_**You must regularly Review and update your **Privacy Policy**. It is the first place data privacy watchdogs look to check if you are GDPR compliant. - **_Training:_**The GDPR is a project that demands business change, your employees must understand the importance of **data protection** and [phishing protection](/) on GDPR’s fundamental principles and procedures implemented for compliance. - **_Report data breaches:_**You must implement the proper procedures to detect, investigate and report internal and external data breaches. According to [GDPR guidelines](https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection), you must report a breach to the **Supervisory Authority** within the first 72 hours unless personal data is anonymized or encrypted. ### About Data Protection Commission (DPC) The DPC regulates **Google, Apple, TikTok** and other technology platforms and has its EU headquarters in Ireland. It is currently processing 40 open inquiries into such technology giants, including 13 involving Meta. The Irish regulator recently issued a statement that other relevant EU regulators agreed with its decision on Monday regarding a draft ruling under the bloc’s **“one-stop shop”** method of regulating large multinationals. The EU is tightening regulation on big tech companies. The bloc recently passed, and is starting to implement, two new laws for big tech companies - one aims to limit potentially anticompetitive conduct and another which requires them to demonstrate they have robust **content-moderation systems**. According to EU officials, the Tech giants are currently in talks with the EU’s executive arm, the **European Commission**, to determine which new laws will apply to the specific services they provide. The new laws’ elements will get enforced in the middle of next year. Meta is not the only technology giant facing scrutiny. Last year, regulators in [Luxembourg fined Amazon](https://www.nytimes.com/2022/11/28/business/meta-fine-eu-privacy.html#:~:text=Last%20year%2C%20Amazon%20was%20fined,it%20has%20its%20European%20headquarters.) nearly $750 million over its advertising. In January, French regulators fined Google about **$150 million** because its users did not get an acceptable way to decline the **cookie trackers** used by online advertisers for tracing a person’s internet browsing history. ### Final Words Businesses must acknowledge that remaining transparent about using and **protecting user data** is a legal requirement today. Each organization (including public sector entities and charities) must define a scope to collect specific data. As evident from the massive fine regulators slapped on Meta and other technology giants, organizations must make data privacy inherent to their operations or risk paying enormous penalties. They must only collect personal information required to offer a service or product, nothing else. Also, they must not share the data for other **unrelated purposes**. ## Topics [ Cybersecurity ](/tags/cybersecurity/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 3m 13,000 Singapore-based students affected as a threat actor hacked into their devices! Aug 16, 2024 ](/blog/13000-singapore-based-students-affected-as-a-threat-actor-hacked-into-their-devices/)[ Intermediate 3m The 2024 Multi-Nation Elections Need to Steer Clear of Highly Potent Cyber Menaces May 9, 2024 ](/blog/2024-multi-nation-elections-cyber-threats-stay-vigilant/)[ Intermediate 6m 7 Commonly Overlooked But Crucial Security Threats That You Might be Ignoring Feb 6, 2023 ](/blog/7-commonly-overlooked-but-crucial-security-threats-that-you-might-be-ignoring/)[ Intermediate 17m 9+ Cybersecurity Software Solutions For Businesses To Use May 30, 2022 ](/blog/9-cybersecurity-software-solutions-businesses/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"GDPR Non-Compliance: Meta Fined $277m For Exposing Over 500 Million Users’ Data","description":"Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating data privacy laws.","url":"https://phishprotection.com/blog/gdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data/","datePublished":"2022-11-30T08:43:31.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-11-30T08:43:31.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/gdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data/"},"articleSection":"intermediate","keywords":"Cybersecurity","wordCount":993,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/11/how-to-prevent-phishing-3472.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"GDPR Non-Compliance: Meta Fined $277m For Exposing Over 500 Million Users’ Data","item":"https://phishprotection.com/blog/gdpr-non-compliance-meta-fined-277m-exposing-500-million-users-data/"}]} ```