The GDPR has given European regulators the power to investigate data controllers and processors, and to enforce regulatory penalties when they violate GDPR requirements. (Article 4 of the GDPR defines controllers, processors, and other GDPR terms.)
In late 2022, the Irish Data Protection Commission (DPC) concluded an inquiry into Meta Platforms Ireland Limited (MPIL), the data controller of the “Facebook” social media network, and imposed a fine of €265 million and a range of corrective measures on the company. The DPC found that Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools violated Article 25 of the GDPR, which obligates data controllers to implement Data Protection by Design and Default.
Here is a news report on the inquiry: Natasha Lomas, Meta hit with ~$275M GDPR penalty for Facebook data-scraping breach, TechCrunch (Nov. 28, 2022).
Here are a few questions to keep in mind while looking through this material:
How could decisions like this one change how social media and other platforms collect and use our data, even beyond the EU?
How would similar laws in the U.S. change the responsibilities and limitations of social media platforms' treatment of our data?
From a legal writing perspective, compare the TechCrunch news report to the Final Decision. Why are they so different, even though they are conveying the same legal conclusions? Who are the audiences for each piece, and what are the goals of each piece?