Not only are they burning through cash as they pivot toward the metaverse, but their struggles with data privacy are an ongoing issue.

In many ways, Facebook/Meta’s data privacy troubles began in 2018, with revelations that a data-marketing firm had illegally collected the personal details of more than 80 million Facebook users.

However, despite promises of improvements and changes in corporate policy—as well as the implementation of the EU’s General Data Protection Regulation (GDPR) in 2018—Meta’s struggles with data privacy continue today.

Meta’s popular social media services, including Facebook, Instagram, and WhatsApp, are all actively involved in investigation and litigation in jurisdictions around the world. This proves that Meta has a long way to go before users can feel confident their data is in good hands with the tech giant.

The 2018 Cambridge Analytica Scandal

The first major data privacy scandal for Facebook/Meta came in March 2018. News broke worldwide that data-marketing firm Cambridge Analytica, operating under parent organization SCL Elections Ltd., managed to capture non-authorized personal information from 87 million US Facebook profiles.

In the days that followed, whistleblower and former Cambridge Analytica employee Christopher Wylie spoke before a British parliamentary committee. He shed light on the company’s participation in using the stolen user data to influence the 2016 American presidential election and sway the Brexit vote in the UK in favor of the ‘Leave’ side.

Ultimately, Cambridge Analytica and SCL Elections Ltd., facing multiple lawsuits, were driven into bankruptcy.

Facebook CEO Mark Zuckerberg apologized for Facebook’s role in the Cambridge Analytica scandal and, at the time, promised to adjust third-party app permissions to stop them from “getting so much information” when users sign up for them.

In 2019, Facebook agreed to pay a record-breaking $5 billion fine to the US Federal Trade Commission and allow unprecedented government oversight of its business practices to settle charges of wrongdoing in the Cambridge Analytica scandal. In August 2022, Facebook agreed to settle a UK lawsuit seeking damages in the case for an undisclosed sum.

New Data Privacy Scandals Around the World for Meta

Despite the negative press and the hefty fines, is data privacy more important to Meta now? Has anything changed?

The short answer appears to be “not much.”

While they may have made their systems safer from third-party apps getting too much personal data, Meta itself still appears to treat user data in questionable ways.

In one recent example, several popular tax preparation software programs in the United States sent sensitive personal information, including names, email addresses, income information, and tax refund amounts, to Meta through Facebook pixel trackers used to provide targeted ads.

Meta said the collection of such sensitive data was against its policies and that their systems are “designed to filter out potentially sensitive data it is able to detect.”

In India, Meta faces a hearing in January 2023 before that nation’s Supreme Court stemming from the popular messaging app WhatsApp’s privacy policy.

In 2021, two individuals challenged WhatsApp’s terms of service in court, claiming that Meta’s demand that WhatsApp should have permission to access calls, photographs, texts, videos, and documents shared by its users violated privacy and free speech protections in the Indian constitution.

Additionally, the plaintiffs objected to the new WhatsApp privacy policy, which allows the app to share more user data with parent company Meta, including transaction data, IP addresses, mobile device information, and other non-personally identifiable information. Users who do not accept the privacy policy are unable to access WhatsApp.

And in Turkey, Meta has been hit with a 346.72 million lira ($18.6 million US) anti-trust fine for improperly combining user data across Facebook, WhatsApp, and Instagram at the expense of local competition.

While the Turkish fine is minor compared to some that Meta has had to pay, it is noteworthy because it strikes at the heart of much of Meta’s business model: building detailed ad profiles of users based on deep dives into their personal data.

GDPR Implications for Meta

Meta’s greatest data privacy challenges may lie in the European Union.

The Cambridge Analytica scandal broke out before the implementation of the General Data Protection Regulation (GDPR), which led to a growing sense of data privacy awareness in the business community.

As a result, there was discussion at the time as to whether greater data privacy regulation would have deterred the kind of personal data harvesting that Cambridge Analytica undertook.

After all, failure to comply with GDPR directives can result in hefty fines, reaching up to €20 million or 4 percent of global annual revenue. And according to the GDPR website, the regulation applies to all organizations that process the personal data of EU residents, regardless of geographical location.

Now, four years into the GDPR era, Meta is no stranger to fines for violating the data protection law.

In March 2022, Facebook received an $18.6 million fine for a series of 2018 violations of the GDPR. These breaches—a dozen incidents over a six-month period between June 7, 2018, and December 4, 2018—affected up to 30 million Facebook users in the EU.

In September 2022, Meta was fined roughly $400 million for breaking EU data privacy laws around the treatment of children’s data on Instagram.

Ireland’s Data Protection Commission found Meta was in violation of GDPR rules because the Instagram accounts of children aged 13 to 17 were automatically set to public, and teenagers with business accounts on Instagram were able to make their email addresses and phone numbers public.

Also, in September, WhatsApp was fined $267 million under GDPR for failing to adequately and transparently account for how it processes and uses users’ data and personal information.

The 266-page report found that WhatsApp did not live up to its obligations to users, non-users, and regulators regarding such transparency, nor was it fully transparent in sharing data with its parent company, Meta.

In addition, Meta is currently being sued under the UK version of GDPR to stop harvesting personal data for targeted “surveillance advertising.”

The suit argues that Meta’s business model violates general data protection regulations in the UK by processing and profiling an individual’s personal data and using it to serve tailored ads. The plaintiff in the case objects to “being surveilled and profiled” by Meta and its social media apps.

Need for cyber security awareness

Meta’s privacy principles demonstrate the company’s approach to data protection: giving users control of their data and educating them on how it is being used. How effective those data controls remains an open question.

Facebook notes that it’s their responsibility to maintain privacy while also acknowledging that the process needs continuous improvement.

These data privacy scandals are not the first, and unfortunately, they won’t be the last. The Facebook/Meta conundrum serves as an example of how vital privacy issues really are. Data privacy represents a test for all organizations that want to maintain a top reputation in the market.

The good news is that you can take proactive steps to give your employees the tools they need to protect their and your organization’s sensitive information. Effective data privacy and security awareness training empower users to become cyber heroes.



Cybersecurity Hub

Cyber Security Hub: Access Exclusive Cyber Security Content

Learn more about how to defend yourself against cyber threats by visiting our free Cyber Security Hub—get engaging and shareable cyber security learning materials.