Thousands urged to sue in mass action over Facebook data leak

16 Apr 2021

Image: © sitthiphong/

Digital Rights Ireland said the scale of personal information compromised is ‘gobsmacking’ and those impacted ‘deserve action’.

An Irish digital rights advocacy group is calling on people in Europe affected by the recent Facebook data leak to join a mass action lawsuit.

Digital Rights Ireland (DRI) said it plans to sue the social media giant to recover damages for people whose personal information has been leaked online. It is preparing to file a case in the courts of Ireland on behalf of thousands of Facebook users.

Earlier this month, it emerged that a massive database of information on 533m Facebook users from 106 countries was available on a hacking forum. A significant number of these are EU users and around 1.5m Irish accounts are reported to be affected.

The information, which had been scraped from users’ profiles, includes phone numbers, Facebook IDs, names, locations, birthdates and email addresses.

“The scale of this breach, and the depth of personal information compromised, is gobsmacking,” said Antoin O Lachtnain, director of DRI.

“Those impacted deserve action and Facebook’s handling of this breach has been entirely inadequate. This will be the first mass action of its kind but we’re sure it won’t be the last.”

Irish law does not allow for class-action lawsuits in the same way US law does. ‘Mass action’ is a more general, less legally specific term, but would involve large numbers of people represented in a single complaint. DRI said those impacted by the breach who take part in this legal action could be awarded monetary damages.

“Forcing companies like Facebook to pay money to users whose privacy rights they’ve violated is the most effective way to really change the behaviour of these Big Tech companies,” added Dr TJ McIntyre, chair of DRI.

“The prospect of class and mass actions is going to be a major impetus for the largest and most profitable of tech companies to become legally compliant and stop treating user data like a commodity.”

More information about the proposed legal action can be found at

DPC inquiry

DRI also said it has made a complaint to the Irish Data Protection Commission (DPC), which has already begun its own probe into the incident.

The DPC began liaising with Facebook earlier this month to “establish the full facts” about the data leak, and confirmed this week that it has launched an own-volition inquiry.

The data privacy watchdog said it believes that “one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data”.

It is looking to determine whether the social media giant has complied with its obligations in connection with the processing of users’ personal data through the Facebook search, Facebook Messenger contact importer and Instagram contact importer features.

For its part, Facebook has said that the leak relates to old scraped data that was previously reported on two years ago and emerged from a vulnerability that was fixed in 2019. The company claimed the data-scraping occurred between June 2017 and April 2018, before GDPR came into practice.

However, concerns remain because the data being leaked online includes phone numbers, which are not regularly changed by users and could be a gold mine for scammers.

Sarah Harford was sub-editor of Silicon Republic