Data watchdog says Facebook may have broken GPDR

15 Apr 2021

Image: © Rey/Stock.adobe.com

The Data Protection Commission is launching a probe following Facebook’s recent data leak.

Following the news that data from more than half a billion Facebook users was available online, the Irish data protection watchdog is launching a probe.

At the start of April, it was first reported that a massive database of information on 533m Facebook users from 106 countries was available on a hacking forum.

According to Facebook, the data came from a large-scale scraping incident that took place before the introduction of GDPR, and so it was not required to notify the Data Protection Commission (DPC) of the leak.

The DPC began liaising with Facebook earlier this month to “establish the full facts” about the dataset and its appearance online. It stated that “the newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period.”

Now, the DPC has confirmed that is has launched an “own-volition inquiry” into the data leak.

What does the DPC inquiry mean?

In a statement yesterday (14 April), the DPC said it believes that “one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data”.

Data protection investigations are par for the course for Facebook. In fact, the latest DPC report showed that more than half of its cross-border investigations in 2020 related to Facebook, WhatsApp and Instagram.

However, Facebook has been downplaying the data leak, saying that it is old scraped data that was previously reported on two years ago and emerged from a vulnerability that was fixed in 2019. The company said the data-scraping occurred between June 2017 and April 2018, just before GDPR came into practice.

Not only had Facebook chosen not to proactively notify the DPC but the company has no plans to notify users that have been affected.

“The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses,” the DPC stated this week.

Based on the information Facebook has provided, the DPC believes that GDPR rules may have been infringed.

Its probe will seek to determine whether the social media giant has complied with its obligations in connection with the processing of users’ personal data by means of the Facebook search, Facebook Messenger contact importer and Instagram contact importer features.

A number of questions remain over exactly when and how the leak happened. There are also still concerns because the data being circulated online includes phone numbers, which are not often changed by users and so could be a goldmine for scammers.

Jenny Darmody is the deputy editor of Silicon Republic

editorial@siliconrepublic.com