In the decision, the DPC argued that Meta failed to comply with the GDPR’s requirement of providing privacy “by design and default” when it failed to prevent the disclosure of users’ phone numbers, email addresses, full names, dates of birth and other personal information on an online hacking forum. The leak was a result of a hacking group exploiting a weakness in Facebook’s data processing measures to scrape public profiles and connect user profiles with email addresses.
In September, the DPC fined Meta €405 million for allowing minors to operate business accounts on Instagram, which led to the disclosure of affected users’ contact information. Meta says it plans to appeal both of the DPC’s decisions.