Facebook Faces European Lawsuit Over 2019 Data Leak

Facebook is facing legal action in Europe following a significant data breach that occurred in 2019, but was recently brought to public attention. The compromised data, affecting over 533 million accounts, was discovered available for free download on a hacker forum.

Digital Rights Ireland Initiates Legal Challenge

Digital Rights Ireland (DRI) has announced the commencement of a “mass action” lawsuit against Facebook. This action is based on the right to financial compensation for breaches of personal data, as outlined in the European Union’s General Data Protection Regulation (GDPR).

GDPR and the Right to Compensation

Article 82 of the GDPR establishes a “right to compensation and liability” for individuals impacted by violations of the regulation. Since its enactment in May 2018, civil litigation related to GDPR breaches has been steadily increasing throughout the region.

Call to Action for Affected Users

DRI is encouraging Facebook users residing in the European Union or European Economic Area to determine if their data was compromised. They can do so by utilizing the haveibeenpwned website, which allows checks using email addresses or mobile numbers. Affected users are invited to join the lawsuit.

Details of the Leaked Information

The information exposed in the breach includes crucial details such as Facebook IDs, geographical location, mobile phone numbers, email addresses, relationship statuses, and employer information.

Facebook's Response

Facebook has been contacted for a statement regarding the litigation. Update: A spokesperson for Facebook has responded.

Irish Data Protection Commission Investigates

Facebook’s European headquarters are situated in Ireland, prompting the national data watchdog to launch an investigation earlier this week. This investigation is being conducted under both EU and Irish data protection laws.

Ireland's Role as Lead Data Regulator

Due to a GDPR mechanism designed to streamline cross-border investigations, Ireland’s Data Protection Commission (DPC) serves as Facebook’s primary data regulator within the EU. However, the DPC has faced criticism regarding its handling of GDPR complaints and investigations, particularly concerning the time taken to reach decisions on significant cross-border cases.

GDPR Anniversary and Ongoing Investigations

As the three-year anniversary of the GDPR approaches, the DPC currently has numerous open investigations into various facets of Facebook’s operations. Despite this, the commission has yet to issue a definitive ruling against the company.

Previous Actions and Pending Resolutions

The closest the DPC has come to a decision was a preliminary suspension order issued last year, concerning Facebook’s EU to U.S. data transfers. However, this complaint predates the GDPR, and Facebook immediately sought to block the order through legal channels. A resolution is anticipated later this year following a judicial review of the DPC’s procedures.

Potential Fines Under GDPR

The EU’s data protection regulations, at least theoretically, allow for fines of up to 4% of a company’s global annual turnover for the most severe violations.

Limited Enforcement to Date

However, the sole GDPR fine issued by the DPC against a tech giant (Twitter) is significantly lower than this theoretical maximum. In December, the regulator announced a €450,000 (~$547,000) sanction against Twitter, representing approximately 0.1% of the company’s full-year revenue.

Facebook's Breach and Potential Sanctions

This penalty stemmed from a data breach that Twitter had publicly disclosed upon its discovery in 2019. Facebook’s failure to disclose the vulnerability it identified and claimed to have resolved by September 2019, leading to the leak of 533 million accounts, suggests it should face a more substantial penalty from the DPC.

Challenges with DPC's Procedural Pace

Even if Facebook receives a larger GDPR penalty, the DPC’s substantial caseload and deliberate procedural pace make a swift resolution to the investigation unlikely, given it is only a few days old.

Justification for Parallel Litigation

Considering the DPC’s past performance, a decision on this 2019 Facebook leak is likely years away. This likely explains DRI’s decision to pursue class action-style litigation alongside the regulatory investigation.

DRI's Motivation and Message

“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI states on its website.

Complaint Submitted to the DPC

DRI also submitted a complaint regarding the Facebook breach to the DPC earlier this month, stating its intention to explore further options, including a mass action for damages in the Irish Courts.

Growing Opportunity for Litigation Funding

The gap in GDPR enforcement is creating an increasing opportunity for litigation funders to pursue data-related compensation damages in Europe, as evidenced by several other mass actions announced last year.

DRI's Focus on Upholding Digital Rights

DRI’s primary focus is on ensuring digital rights are protected. The organization believes that compelling tech giants to financially compensate users whose privacy rights have been violated is the most effective way to achieve legal compliance.

Facebook's Downplaying of the Breach

Facebook has attempted to minimize the significance of the 2019 breach it failed to disclose, characterizing the data as “old.” This argument overlooks the fact that fundamental personal information, such as dates of birth, rarely changes.

Potential for Misuse of Leaked Data

Much of the “old” data exposed in this recent Facebook leak will be valuable to spammers, fraudsters, and litigators seeking data-related damages against Facebook.