Ireland Investigates Facebook Data Leak Under GDPR

Facebook Data Leak Sparks EU Investigation

An investigation has been initiated by the lead data supervisor for Facebook within the European Union, focusing on potential violations of data protection regulations related to the recently reported data leak.

Statement from the Irish Data Protection Commission

Facebook has been contacted by the Irish Data Protection Commission (IDPC) for clarification. Update: While the company has not yet issued a formal statement, it has confirmed ongoing communication with regulators to address their inquiries. Update 2: Facebook subsequently released the following statement: “We are fully cooperating with the IDPC’s enquiry, which concerns features designed to facilitate connections between people on our services. These features are prevalent across many applications, and we anticipate the opportunity to explain them and the safeguards we have implemented.”

European Commission Intervention

This action follows intervention from the European Commission, which applied pressure to Ireland’s data protection commissioner. Justice commissioner, Didier Reynders, announced via Twitter on Monday that he had discussed the Facebook data leak with Helen Dixon.

“The Commission is closely monitoring this situation and is dedicated to supporting national authorities,” he stated, further urging Facebook to “actively and promptly provide clarity regarding the identified issues”.

Collaboration and Information Sharing

A Commission spokesperson confirmed a virtual meeting between Reynders and Dixon, explaining: “Ms. Dixon provided the Commissioner with an overview of the issues and the various ongoing efforts to clarify the situation.”

“Both officials emphasized the importance of Facebook’s swift cooperation and the sharing of necessary information. It is essential to thoroughly investigate this leak, which has impacted millions of European citizens.”

“The assessment of this case rests with the Irish data protection authority. The Commission remains available to provide support if needed. The situation will also require further analysis for future considerations, and lessons must be learned,” the spokesperson added.

Details of the Data Leak

The discovery of a vulnerability within Facebook’s platform, which allowed unidentified individuals to extract personal data – including email addresses and mobile phone numbers – from over 500 million Facebook accounts, surfaced earlier this month. Facebook asserts that it addressed this issue in September 2019, prior to the data appearing for free download on a hacker forum.

https://twitter.com/UnderTheBreach/status/1378314424239460352

Failure to Notify Authorities

Despite the European Union’s data protection framework (GDPR) mandating data breach notifications, and carrying the risk of substantial fines for non-compliance, Facebook did not inform its lead EU data supervisory authority when the issue was identified and resolved. The Irish Data Protection Commission (DPC) learned of the breach through press reports, alongside the general public.

Lack of User Notification

Furthermore, Facebook has indicated it has no intention of individually notifying the 533 million+ users whose information was compromised without their knowledge or consent, despite the increased risk of spam and phishing attacks for those affected.

Ongoing Investigations and Limited Enforcement

Privacy experts have noted that Facebook has yet to face any regulatory penalties under the GDPR, with numerous investigations into various Facebook businesses and practices still ongoing and no decisions issued by Ireland’s DPC. (The DPC has issued only one cross-border decision to date, fining Twitter approximately $550,000 in December for a breach disclosed in 2019.)

European Parliament Concerns

Last month, the European Parliament adopted a resolution on GDPR implementation, expressing “great concern” over its functioning. The resolution specifically raised concerns about the Irish data protection authority, stating that it “generally closes most cases with a settlement instead of a sanction and that cases referred to Ireland in 2018 have not even reached the stage of a draft decision pursuant to Article 60(3) of the GDPR”.

Increased Pressure on the DPC

The latest Facebook data scandal intensifies the pressure on the DPC, bolstering arguments from critics who contend that the GDPR is ineffective due to the current slow enforcement structure, particularly given the concentration of tech giants’ regional headquarters in Ireland and Luxembourg.

https://twitter.com/maxschrems/status/1380794291988148230

Reynders’ Public Concerns

On Thursday, Reynders publicly voiced his concerns regarding Ireland’s response to the Facebook data leak via Twitter, confirming the Commission had been in contact with the DPC.

His concern is personal, as Politico reported last week that Reynders’ own contact details, along with those of Luxembourg’s prime minister Xavier Bettel, and “dozens of EU officials” were included in the leaked data. However, the broader issue of weak GDPR enforcement affects all 446 million people across the bloc whose rights are not consistently and effectively protected.

“Strong GDPR enforcement is crucial,” Reynders also tweeted, urging Facebook to “fully cooperate with Irish authorities”.

Italian Data Protection Commission’s Request

Italy’s data protection commission also requested that Facebook immediately provide a service for Italian users to determine if they were affected by the breach. Facebook has not publicly acknowledged or responded to this request. Under the GDPR’s one-stop-shop mechanism, Facebook can limit its regulatory exposure by dealing directly with its lead EU data supervisor in Ireland.

Commission Review and Future Regulations

A two-year Commission review of the data protection regime, completed last summer, already highlighted problems with inconsistent enforcement. The lack of progress in resolving GDPR bottlenecks is a growing concern for the Commission, which is currently proposing a package of additional digital regulations. This makes enforcement a critical issue as EU lawmakers consider how new digital rules will be upheld if existing ones continue to be disregarded.

It is noteworthy that the EU’s executive has proposed a different, centralized enforcement structure for upcoming pan-EU legislation targeting digital services and tech giants. However, achieving agreement among all EU institutions and representatives on reshaping platform oversight remains a challenge.

Further Data Leaks

Meanwhile, further data leaks have emerged. Motherboard reported Friday on another alarming leak of Facebook data accessible through a bot on the Telegram messaging platform, offering users’ names and phone numbers who have liked a Facebook page (for a fee, unless the page has fewer than 100 likes).

This data appears separate from the 533 million+ scraped dataset, as confirmed by checks against the larger dataset via the breach advice site, haveibeenpwned. Alon Gal, who discovered the original leaked Facebook dataset, also compared data obtained via the bot and found no matches.

Facebook has been contacted for comment regarding the source of this leaked data, and this report will be updated with any response.

The Role of the EDPB

In his tweet regarding the 500 million+ Facebook data leak, Reynders referenced the European Data Protection Board (EDPB), a steering body comprising representatives from Member State data protection agencies, which aims to ensure consistent GDPR application.

However, the EDPB does not have enforcement powers and is not directly involved in national-level investigations. An EDPB spokesperson clarified: “Under the GDPR, enforcement and the investigation of potential violations lies with the national supervisory authorities. The EDPB does not have investigative powers per se and is not involved in investigations at the national level. As such, the EDPB cannot comment on the processing activities of specific companies.”

The spokesperson also noted that the Commission attends plenary meetings of the EDPB, and an exchange of views among members regarding the Facebook leak case may occur in the future, as attending supervisory authorities regularly share information on national-level cases.