EU GDPR data security concept

Meta paid over 80 per cent of EU's 2022 GDPR fines

Image credit: Christof Prenninger/Dreamstime

European authorities issued fines totalling €832m (£731m) for violating GDPR in 2022, of which Meta paid over 80 per cent, Atlas VPN has reported.

The latest data analysed by Atlas VPN revealed that as of December 2022, companies paid a total of €2.83bn (£2.48bn) in 1,401 cases of violating various data protection laws.

Of that amount, GDPR fines in the last year totalled €832m (£731m), a 36 per cent decrease from the previous year.

The most shocking part of the report, however, was the severity of the charges imposed on a single entity – Meta. Overall, the parent company of Facebook, Instagram and WhatsApp was ordered to pay an amount equal to 80 per cent of all fines imposed by the EU, over its data protection practices. 

The largest fine imposed upon Meta was worth €405m (£355m). It was imposed by the Data Protection Commission (DPC), an authority for GDPR enforcement in Ireland, on 5 September 2022, over issues regarding the processing of personal data pertaining to child users on Instagram. 

The DPC ruled Meta had allowed children's email addresses and phone numbers to be publicly exposed when using the Instagram business account function, and that the profiles of kids were public-by-default.

In addition, Facebook was penalised with a €265m (£232m) fine on 25 November 2022, when the DPC declared that Meta had infringed two articles of the EU's data protection laws after details of Facebook users from around the world were scraped from public profiles in 2018 and 2019.

Moreover, the DPC issued a "reprimand and an order" forcing Meta to "bring its processing into compliance by executing a range of specified remedial activities within a specific deadline". 

Meta complied and made the adjustments within the required timeframe.

Since 25 May 2018, Europe's framework for data protection has impacted many businesses operating within the EU. However, because it is extra-territorial in nature, the GDPR also applies to companies located outside of the EU, with the aim of defending the rights of data subjects rather than governing corporations.

Although the UK has announced its intention to replace GDPR rules with a different data protection regime, the country has also made moves to curb the influence of platforms such as Meta. 

In 2020, the UK’s competition regulator, Competition and Markets Authority (CMA), called on the government to introduce a new pro-competition regulatory regime to tackle Google and Facebook’s market power.

At the time, the CMA’s report found that the social media company “uses default settings to nudge people into using their services and giving up their data”, including a requirement to accept personalised advertising as a condition for using the service.

To date, Meta has paid around €1bn for GDPR violations.

In addition, the company recently agreed to pay $725m (£600m) to resolve a class-action lawsuit over the Cambridge Analytica scandal, which accused the company of allowing third parties to harvest the personal data of millions of users.

Since the Cambridge Analytica scandal, Facebook has weathered numerous other scandals relating to its handling of user dataviolent and manipulative content on its platforms; its allegedly deliberately addictive naturepotential antitrust violationsdiscriminatory ad targeting, and now-defunct digital currency venture, Libra.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles