Facebook’s parent company, Meta, was fined €17 million by the Irish Data Protection Commission (DPC) for a series of historical data breaches.
The lapsed security issue, which appears to have affected 30 million Facebook users, was several years ago – and was disclosed by Facebook to Irish regulators in 2018.
DPC, the leading Meta/Facebook privacy regulator in the European Union, opened this privacy-related investigation in late 2018 after receiving no less than 12 data breach notifications from tech giants for a six-month period from June 7, 2018 to December 4, 2018.
The European Union’s General Data Protection Regulation (GDPR) – which came into force in May 2018 – places a legal requirement on data controllers to promptly disclose personal data breaches. personnel to the supervisory authority if the leakage of information is likely to pose a risk to individuals. (The most serious violations must be reported within 72 hours.)
“The investigation examined the extent to which the Meta Platform complies with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of data. personal data in connection with twelve notices of infringement,” the DPC wrote in a statement Press Release announced the final decision on the Facebook investigation.
“As a result of the investigation, the DPC found that the Meta Platform violated Articles 5 (2) and 24 (1) of the GDPR. The DPC found that the Meta Platform did not have the appropriate technical and organizational measures in place to easily demonstrate the security measures it had implemented. In reality to protect user data in the European Union, in the wake of twelve personal data breaches. ”
In a statement reacting to the DPC’s punishment, a Meta spokesperson sought to downplay the episode as just one case of lax recordkeeping in history – writing:
“This penalty is about 2018 record-keeping practices that we have updated since, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will weigh this decision carefully as our processes continue to evolve. “
The penalty announced by the DPC is the first final decision from Ireland on the GDPR investigation against Facebook itself since the regulation was introduced nearly four years ago – despite being issued by the regulator. a separate (larger) sanction against Facebook-owned WhatsApp last year for violating transparency rules.
The DPC confirmed that its draft decision on this Facebook investigation was met with some objections from other EU data protection authorities – something that happened during an earlier investigation into fraud. breach of Twitter’s security, as well as about its transparency decision on WhatsApp. (And in both of those cases, the GDPR’s dispute resolution mechanism resulted in higher penalties than Ireland suggested.)
The district People’s Committee said two other authorities had objected to their draft decision on this investigation by Facebook. But Ireland did not specify whether the fines were increased for protest, nor which authorities objected (or why).
It’s worth noting that the penalty is relatively small – it’s certainly a far cry from the theoretical maximum of 4% of Meta’s global annual revenue (which would be well over a billion dollars).
However, the DPC issued an even smaller fine (~$550k) to Twitter at the end Year 2020as well as administrative errors surrounding a security breach message.
While there is a greater chance of error in each case, it is quite clear that security breaches judged by EU authorities to be unintentional are less likely to incur penalties than systematic rule violations. or clear.
It also follows that a The entire string of violations has resulted in a larger penalty for Facebook than Twitter, which only reported a single violation (not a dozen).
Big token hack
Details of all 12 Facebook privacy lapses during the 6-month period of 2018 were not listed by the District People’s Committee in the sanction notice – but in September 2018 The tech giant disclosed a massive hack that it says affected at least 50 million accounts after hackers exploited a security flaw on its website.
Facebook then claims that there are only 30 million users had actually stolen their tokens in the hack.
Error, that date back july 2017already allowed hackers to obtain account access tokens used to keep users logged in as they enter their usernames and passwords – meaning that stolen tokens could allow hackers account access.
However, that massive token hack wasn’t the only security flaw facing the tech giant in 2018.
In JuneFacebook notified users of a bug that had created the vulnerability a few days earlier this month, which it said inadvertently changed the recommended privacy setting for status updates to public from any errors a user has set in advance – potentially causing up to 14 million users to excessively share sensitive friends-only content with strangers.
Another bug we reported, in November 2018allowed any website to get information from a Facebook user’s profile – including their ‘likes’ and interests – without the person knowing.
And at the end of that year, in DecemberFacebook has made public a Photos API bug that it says gives app developers too much access to the photos of up to 5.6 million users.
This lapsed security chain clung to the heel of The Cambridge Analytica story break into a global scandal – in March 2018 – as revelations about Facebook user data being sucked out of its platform to be reused for advertising purposes by the Trump campaign, which is seeking to exclusively influence the US election , wiped billions of dollars off its stock price.
The Cambridge Analytica scandal has also prompted lawmakers and regulators around the world to step up scrutiny of Facebook’s handling of people’s information – and ultimately, has helped spur moves to reform and increase regulation of digital platforms (such as Upcoming UK Online Safety Law or EU Digital Services Act).
But since the Cambridge Analytica scandal occurred before the GDPR took effect, Facebook has largely escaped punishment by its direct European regulator for that particular episode. If the timing had been a little different, it would have likely enjoyed a larger penalty.
The UK’s Office of the Information Commissioner has fined Facebook £500,000 for Cambridge Analytica, the maximum possible under its GDPR data protection regime. Although Facebook challenged the regulator’s decision – before continuing to agree to drop the appeal and pay the fine to settle with the ICO. do not accept responsibility. Then it emerged that The ICO agreed to be silenced on the terms of that agreement.
The end result of the full platform check the app Facebook announced it will do so after the Cambridge Analytica scandal, in an attempt to reassure users that it is purging the bad guys and locking down user data, which, in the meantime, has never come to light.
Since then, GDPR has introduced a tougher legal mechanism to combat data misuse – at least across the EU (the UK is no longer a member state) – however, the delay protracted amid data scandals and enforcement continues interfere with the smooth operation of regulation.
Ireland’s broader record of cross-border cases means a single decision against Facebook can now do nothing to ease it. strong criticism of its GDPR enforcement for big tech – at least for that multiple More questions on Facebook still undecided. (And, as we reported yesterday, the District People’s Committee is currently sue for inaction about a separate GDPR complaint targeted at Google’s adtech.)
It is therefore unlikely that it was an accident that – as today – the governing body was chosen to publish a report on the handling of cross-border GDPR cases.
Among the stats it choose to highlight are the following statements (between May 25, 2018 and December 31, 2021):
- The District People’s Committee has received 1,150 valid cross-border complaints; 969 (84%) as the primary supervisory authority (LSA) and 181 (16%) as the relevant supervisory authority (CSA).
- 588 (61%) of cross-border complaints were handled by the DPC as the LSA was initially submitted to another supervisory agency and forwarded to the DPC.
- 65% of all cross-border complaints handled by DPCs under the LSA as of May 2018 were concluded, with 82% of them received in 2018 and 75% in 2019 concluded .
- Of the 634 concluded cross-border complaints handled by the DPC as LSAs, 544 (86%) were resolved through amicable settlement for the benefit of the complainant.
- 72 (22%) public cross-border complaints are linked to an investigation and will be closed upon completion of the investigation. A large number of open complaints remaining from 2018 and 2019 are linked to an investigation.
- 86% of all cross-border claims are handled by the DPC because the LSA involves only 10 data controllers.
- 38% of complaints referred to by the DPC to other EU/EEA LSAs (except the UK) were concluded.
