Ireland Opens GDPR Investigation Into Facebook Leak (techcrunch.com) 7
An anonymous reader quotes a report from TechCrunch: Facebook's lead data supervisor in the European Union has opened an investigation into whether the tech giant violated data protection rules vis-a-vis the leak of data reported earlier this month. Here's the Irish Data Protection Commission's statement:
"The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.
The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users' personal data. Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect." "We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services," Facebook said in a statement. "These features are common to many apps and we look forward to explaining them and the protections we have put in place."
"The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.
The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users' personal data. Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect." "We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services," Facebook said in a statement. "These features are common to many apps and we look forward to explaining them and the protections we have put in place."
Time to see if the GDPR is going to work (Score:3)
Re:Time to see if the GDPR is going to work (Score:5, Informative)
Re:Time to see if the GDPR is going to work (Score:5, Informative)
Whoever leaked the data, if caught would be subject to criminal penalties. The company, in this case Facebook, *could* be held accountable for a GDPR violation for failing to provide adequate protections. Facebook *could* also avoid GDPR fines if they can demonstrate adequate protections that failed under extraordinary circumstances. One other avenue of possible risk for Facebook is if the data leak contains personal data for which Facebook had not disclosed and does not have a legitimate need. If this turns out to be the case, then it doesn't matter what type of protections were in place as Facebook would have knowingly violated one of the core principles of GDPR.
They also need to have notified the supervisory authority [gdpr-info.eu] in a timely manner (72 hours after being made aware of the breach) and communicated the breach to the data subject [gdpr-info.eu].
Re: (Score:3)
Nice strawman. The person that is controlling the data is liable for it and any breaches, period. There is zero ambiguity in the law about this. If you can show that other people used the leaked data, they can be pursued independently, but this has zero bearing on Facebook's liability. The only question is what measures did Facebook actually take to protect the data, and what kind of impact/harm can the data do to the concerned data subjects, as these factors will determine the kind and amount of any fines
Iâ(TM)m pissed off (Score:1)