Facebook Under Investigation For Massive Data Leak

The Irish Data Protection Commission has launched an investigation into the massive leak of Facebook user data online. It was recently revealed that the personal data of more than 530 million Facebook users had been posted in a low-level hacking forum, with users’ phone numbers being offered for sale. Facebook’s defence is that the data concerned was scraped, rather than hacked, and that users’ own privacy settings were to blame (this despite the fact that ‘Public’ was the default setting, even where the phone number was set to ‘Only me’). The company also claimed that the data had been scraped before the introduction of GDPR, meaning that it didn’t nered to report the leak.

“Based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019,” it said. However, the Irish Data Protection Commission (DPC), which oversees the Dublin-headquartered company, was sceptical, suggesting that some of the data at least might date from a later period and this be subject to GDPR.

And now, following pressure from the European Commission, it’s announced its intention to launch a full inquiry.

“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data,” it says in a statement. “Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect.”

Facebook, while claiming that the contact-importing feature in question is common to many apps, has said it will cooperate with the enquiry.

The DPC’s move follows calls by the European Commission for a full investigation. Earlier this week, justice commissioner Didier Reynders said he’d spoken with data protection commissioner Helen Dixon about the matter, and was calling on Facebook to ‘actively and swiftly… shed light on the identified issues’.

If Facebook is found to be in breach of GDPR, it could face fines of up to four per cent of turnover. The company is already the subject of more than a dozen investigations by the DPC, none of which has yet reached a conclusion.