A report is highlighting a potentially huge legal liability for Facebook. It says that Facebook didn’t proactively notify EU regulators about the leak.
Over the weekend, we reported on yet another data breach that has hit Facebook. In all, an estimated 533 million users were compromised. At the time, Facebook dragged its feet in acknowledging that the breach took place. After media outlets insisted, a comment was actually dragged out of Facebook. In response, Facebook dismissed the breach, saying that it’s old and no big deal. The problem is that users were not notified of this security threat.
Now, we’re learning that European regulators were not notified either about the latest security threat. A report from BNN quotes Irish regulators saying that they have not been proactively notified about the latest incident. From BNN:
Facebook Inc.’s top privacy regulator in the European Union said it’s looking into a leak over the weekend of the personal data of more than half a billion users of the social media service.
The Irish Data Protection Commission is trying to “establish the full facts” since the weekend and so far “received no proactive communication from Facebook,” the regulator said in a statement on its website on Tuesday. It said the tech company assured it that “it is giving highest priority to providing firm answers” to the authority.
Legally, this is potentially problematic for Facebook. Back in 2018, Europe’s General Data Protection Regulation (GDPR) was passed. Part of the requirements for maintaining compliance is to quickly notify regulators when they become aware of a security incident. As we noted in past reports, that window is 72 hours. First of all, this breach reportedly took place in 2019, so it is well after when the law was established. Second, we are well past 72 hours to alert authorities. By Faceobook’s own admission, they know that this occurred. That alone represents a potential violation of the GDPR laws.
Additionally, no action was taken to help users secure their personal information. If that is not a violation of the GDPR law, then it is a violation of public trust at minimum.
Another angle in all of this is enforcement. What can play into how the law is enforced is whether this is a first time offense or not. In the context of GDPR violations, we’re not sure if there is any give on that front. However, the thing to remember is that this is far from the first time there was a security incident at Facebook. There was the data leak that saw 267 million users compromised back in 2019. That was a mere four months after another data leak that saw 419 million users compromised. Then there was the hack a year earlier which saw 50 million users compromised. So, we’re talking about a repeat offender here. If there is give in the law, that drains the number of reasons why any regulator would want to be lenient in this case.
Another fact is that European users were affected with this latest leak. So, the law most certainly applies here.
Unless there are facts that are wildly different then what is being reported here, then it’s really difficult to see how regulators shouldn’t just throw the book at this platform over this incident. At this point, what more reason would one need? With what we know now, it’s practically plain as day a violation of the GDPR laws. The only moving part is how quickly this law can be enforced in Ireland. If Irish regulators are still as backed up as they were in 2019, then the only thing that would even remotely save Facebook is time – and for all we know, that clock is ticking.
Drew Wilson on Twitter: @icecube85 and Facebook.
