The DPC commenced this inquiry on 14 April 2021, on foot of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept).

There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.

The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on MPIL.