Meta – Dismissed (Belgium, 2023)

The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta). Following a suspected data leakage concerning around 3,000,000 Belgian Facebook users, on 7 April 2021, the Belgian DPA called on Belgian citizens to check on the website https://benikerbij.be whether their data were part of the data leakage and if necessary to lodge a complaint with the DPA. Following this call, 1,113 complaints were lodged. On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA. In September 2022, under Article 60(3) GDPR, the DPC submitted a draft decision to various DPA’s, including the Belgian one who communicated their objections. In particular, in contrast to what the DPC had held, the Belgian DPA considered that data scraping should have been considered a data breach and that Meta had a duty to inform its users of the data leakage. On 25 November 2022, the DPC adopted its [https://www.dataprotection.ie/sites/default/files/uploads/2022-12/Final%20Decision_IN-21-4-2_Redacted.pdf final decision]. Its investigation revealed that in the Facebook search tool, the default settings allowed all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis. Therefore, the DPC found a violation of Article 25(1), 25(2), 5(1)(b) and 5(1)(f) GDPR, ordered