Latest Facebook investigation is one of a series underway by Ireland’s Data Protection Commission under new GDPR rules.
The latest privacy breach at Facebook that affected nearly 7m users is being investigated by the Data Protection Commission (DPC) in Ireland under the General Data Protection Regulation (GDPR), a spokesperson confirmed to Siliconrepublic.com.
GDPR rules came into law across Europe on 25 May this year.
‘The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25’
– GRAHAM DOYLE
Under GDPR rules, companies could be hit with fines of up to €20m or 4pc of global turnover, whichever is higher. In Facebook’s case, such a fine could reach an estimated €1.6bn based on its annual revenues of €40.6bn for 2017.
Not only that, but affected EU users are empowered under the rules to take litigation against companies if they have been affected.
Facebook is understood to be one of a large number of US tech companies that have chosen the Irish DPC as a one-stop shop for data oversight under GDPR.
The bane of bugs post-GDPR
On Friday (14 December), Facebook disclosed that a bug gave hundreds of apps unauthorised access to photos that users had uploaded but hadn’t made public. The bug is understood to have ran for 12 days between 13 and 25 September.
Not only does Facebook face the music for the breach occurring in the first place, but also because it failed to promptly disclose the issue within 72 hours.
The bug is the latest in a series of privacy scandals to beset the hapless social media giant. In October, the company revealed that at least 50m accounts were hacked in an access token harvesting attack.
“The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018,” Graham Doyle, head of communications at the DPC, told Silconrepublic.com.
“[In] reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”