Facebook—Meta—was just fined $276 million (USD) for a data leak that included full names, birth dates, phone numbers, and location.
Meta’s total fine by the Data Protection Commission is over $700 million. Total GDPR fines are over €2 billion (EUR) since 2018.
Winter • November 30, 2022 7:46 AM
I am rather surprised the Ireland’s Data Protection Commission actually did anything to punish META. The IDPC is well known for working against the GDPR, mostly by stalling all procedures indefinitely.
If META goes to the European Court to get it overturned, they might find a bench of much less lenient judges.
Btw, repeat offenses get higher fines. The maximum is 2% of world turnover, for regular mistakes. It rises to 4% for criminal negligence or intent.
Clive Robinson • November 30, 2022 8:49 AM
@ ALL,
Remember imposing a fine and collecting it are two seperate and mostly unrelated processes.
The question to ask is “What method of compelling does the EU DPC have if Meta say ‘Foxtrot Oscar’?”.
Further how will the fines be payed, it’s not as though Meta actually pays taxes anyway.
One trick is to write a fine off against tax. So whilst the fine is large the cost is small.
Worse perhaps is if the Fine is payed into Europe, where will the tax write off land?
But the sensible way to deal with Meta is to “pull the plug” on them in one of many ways.
One such would be to block their entire IP address range and DNS resolution in Europe.
As Meta income is “ad based” that would cut into their income at a time when the company value has fallen to about a quater of what it was a year ago. In fact Meta’s official value is oh about 200-300billion so the fine is a fraction of a percent of that… But what would it be if Meta were nolonger available in Europe?
Rather more noticeably smaller I suspect. Remember part of the 75% loss in value from 1Trillion down so ~250billion was due to investors not being happy about the money being spent on those darn VR goggles…
Along with the fact that life is not a happy place in the Social Networking world with Twitter under Hell-on Rusk doing the imploding thing and another similar company has laid of 31% of staff,
Life is looking a little less than rosey in certain corners of the industry. Especially as I suspect news will start to come out that Twitter staff that have left have found new and potentially better jobs.
Winter • November 30, 2022 9:01 AM
@Clive
The question to ask is “What method of compelling does the EU DPC have if Meta say ‘Foxtrot Oscar’?”.
That would be a popcorn worthy spectacle. I do not think I have seen that before.
Even MS had to pay up $1B or so (not GDPR).
Denton Scratch • November 30, 2022 10:45 AM
One such would be to block their entire IP address range and DNS resolution in Europe.
Only my ISP can prevent me accessing Meta’s IP adresses; and my DNS resolver is right here, in my living room. To prevent me resolving Meta, you’d have to block the DNS roots. Well, OK; just being Meta is enough to prevent me accessing Meta, but you know what I mean.
Aaron • November 30, 2022 11:18 AM
How long will society keep pretending that monetary “punishment” is sufficient to force companies to do the right thing first, rather then after the fact?
Winter • November 30, 2022 11:27 AM
@Clive
But the sensible way to deal with Meta is to “pull the plug” on them in one of many ways.
Meta gets its income from advertising. If companies cannot advertise in the EU because Meta is labeled criminal in some way, that would hurt.
chmod700 • November 30, 2022 1:09 PM
It’s the cost of doing business.
Willie • November 30, 2022 2:52 PM
This result seems entirely related to data storage and processing. What about collection? Dates of birth and full/”real” names seem way too personal to be collected without a very good reason, which the GDPR requires. Has any Commission officially investigated or issued rulings relating to this?
Bill • November 30, 2022 3:40 PM
@ Aaron:
A US Supreme Court ruling declared that corporations are “Individuals.” In that case, throw them in jail for violating the law.
What would that look like? Perhaps
. no communications with other parties
. no access to funds
. restrictions on activities (providing services, selling goods)
. actual prison time for the C-suite officers and board
lurker • November 30, 2022 4:15 PM
@Bill
Back in the ’80s a whole lot of otherwise decent Companies declared themselves to be Corporations with “the rights and privileges of a natural person.” I wondered at the time how they were allowed to do that without also assuming the duties and obligations of natural persons.
vas pup • November 30, 2022 7:14 PM
India: Data privacy rules in play under new draft bill
https://www.dw.com/en/india-data-privacy-rules-in-play-under-new-draft-bill/a-63930891
“The proposed legislation is called the Digital Personal Data Protection Bill (DPDP). It aims to secure personal data, while also guaranteeing user consent. The long-delayed bill needs the
approval of parliament before becoming law.
However, it also gives the government broad powers to exempt any of its agencies from compliance. Various stakeholders have expressed concerns that unhindered government access to
data can be abused. For example, when law enforcement uses data to crack down on protests.
“There is power to exempt all government institutions from any or all provisions of the law.
That is a clear invitation to the executive to act arbitrarily,” former judge B. N. Srikrishna told DW.
Srikrishna, a former Indian Supreme Court justice who also spearheaded a committee that drafted the first 2018 version of the data protection bill, said the current draft was loaded
in favor of the government.
“The so-called regulator will be a puppet of the government and will have no independence,” Srikrishna said.
India’s Data Protection Board (DPB) will be tasked with ensuring compliance with the law and oversee compliance.
Vrinda Bhandari, a lawyer working on digital rights and privacy
issues, said the
==>independence of the board could be a problem, as the government will set the rules and the composition of
the DPB.
Government officials have said the new draft is aligned with the Indian Supreme Court’s ruling on privacy as a fundamental right but within reasonable restrictions.
“There will be deliberations and the government welcomes stakeholders’ views on the subject before it finalizes a bill that will be tabled in parliament. The government expects to
complete the process over the next few months,” a senior official told DW under condition of anonymity.
!!!The current DPDP draft requires consent before collecting personal data. It also calls for stiff penalties on persons and companies that fail to prevent data breaches, including accidentally disclosing, sharing, altering or destroying personal data.”
Good short video and more information inside
Ted • December 1, 2022 12:06 AM
In a 2021 blog post about data scraping Meta claims:
“We have a dedicated External Data Misuse (EDM) team made up of more than 100 people, including data scientists, analysts and engineers focused on our efforts to detect, block and deter scraping.”
According to The Guardian, the DPC currently has 13 open inquiries pertaining to Meta.
Even if Meta makes some improvements they just have so much data. I’ll look forward to seeing how they adjust to these evolving consequences in the coming years.
Jon • December 1, 2022 12:45 AM
@ Bill, lurker,
IF a corporation is a person, what makes you think you can own one? The USA fought a fairly extensive war about owning people in the middle of the 1800s… J.
Ismar • December 1, 2022 3:13 AM
Monetary penalties work and this is a good development as we see more and more of these imposed across different jurisdictions.
Winter • December 1, 2022 3:38 AM
@Bill
A US Supreme Court ruling declared that corporations are “Individuals.” In that case, throw them in jail for violating the law.
The personhood of corporations does not mean they should go to jail, as that is not a punishment of corporation. The responsible natural persons are the shareholders. Putting all the shareholders to jail too is not a suitable punishment. As corporations are understood to exist only for financial profit, fines are the only appropriate punishments.
As for the Supreme Court rulings that lead to personhood of corporations, that is one long and twisted road, with some malfeasance and lies in it.
‘Corporations Are People’ Is Built on an Incredible 19th-Century Lie
‘https://www.theatlantic.com/business/archive/2018/03/corporations-people-adam-winkler/554852/
10 Supreme Court Rulings That Turned Corporations Into People
‘https://www.alternet.org/2014/07/10-supreme-court-rulings-turned-corporations-people/
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Jay • November 30, 2022 7:19 AM
I’m curious, what are the chances of Meta actually having to pay any significant portion of that money, as opposed to negotiating it down to 1-10% of that, if not a full release?
$700m is peanuts for a $100+ bn revenue company and yet, somehow, I have the nagging feeling that they will not pay most of it, if any at all.