Facebook could be liable for a $1,63 billion GDPR fine

October 10, 2018 In Design News

1. The Facebook breach ? a GDPR test-case
=======================================================================

On 28 September, Facebook notified the Irish Data Protection
Commissioner (DPC) about a massive data breach affecting more than 50
million of its users. The hack of the ?view as? feature, which allowed
users to see their profile from the perspective of an external visitor
or friend, exploited an interaction of several bugs on Facebook and
allowed the intruders to acquire so called ?access tokens?. With these
tokens, the attackers had access to personal data from the affected
accounts, potentially including personal messages.

—————————————————————–
Support our work – make a recurrent donation!
https://edri.org/supporters/
—————————————————————–

The incident is a highly salient test-case for the application of the
General Data Protection Regulation (GDPR) in practice, specifically for:

1) Notification and provision of information: Under Article 33 of the
GDPR, an entity facing a breach must notify the relevant data protection
authority (DPA) within 72 hours, ?where feasible?. As the vulnerability
was discovered on 26 September, Facebook complied with this provision,
unlike other companies (Uber being one of them) have done in the past.
However, the information provided by Facebook so far seems to only have
delivered the very basics of what is required under the GDPR. The Irish
DPC publicly urged the enterprise to submit more details so the
authorities could properly assess the nature of the breach and the risk
to users. Article 34 of the GDPR further requires that individuals whose
personal data might have been compromised during the breach are notified
without undue delay of the incident and the counter-measures that have
been taken so far. Facebook implemented this by displaying a message in
the feed of the affected accounts. The information provided included an
initial overview on the ?view as? weakness, as well as the statements
that the function has been turned off and that accounts who had used it
in since July 2017 had their access tokens removed, requiring a new login.

2) Sanctions: The GDPR allows for sanctions against the entity that
faced the breach, which depend on the sensitivity of the compromised
information and the degree to which appropriate safeguards were not
implemented. Since approximately five million of the affected users come
from the EU, Facebook could be liable for a 1,63 billion US dollar fine
if that was found to be the case. Since the exact nature of the breach
is still investigated by the Irish DPC, it remains unclear to which
extent the hacking was a result of negligence. In any case, the
investigation might bring some further clarification on how the
responsibility for the security of processing is allocated in practice,
and how strictly infringements of this obligation are sanctioned. Cases
like this thus offer an opportunity for other companies processing
users’ personal data to learn in more detail about their security
obligations under the GDPR, and provide them with examples on how to
respond to a data breach. For users, the investigation also serves an
important purpose: It shows them whether the security of their data is
actually taken seriously. If it is not and they suffer adverse effects
from that, they have the possibility to demand compensation ? and since
the Irish implementation of the GDPR allows for collective redress, they
could even be represented by civil society in court. On the other hand,
the incident also emphasises that, even if Facebook did not act
carelessly, caution about uploading personal data is always advised, as
absolute safety of personal information is never certain.

This data breach is yet another example of the importance of secure and
confidential storing of personal data on the internet. While the news
show that the GDPR has successfully obliged Facebook to communicate in a
more comprehensive and timely manner about its breach than other big
tech companies previously did, it is now of utmost importance to follow
up on the incident with an in-depth investigation: Users’ rights under
the GDPR should be fully and effectively enforced by the Irish DPC.

A Digestible Guide to Individual?s Rights under GDPR (29.5.2018)
https://edri.org/a-guide-individuals-rights-under-gdpr/

GDPRexplained Campaign: the new regulation is here to protect our rights
(29.5.2018)
https://edri.org/gdprexplained-gdpr-new-regulation-protect-our-rights/

General Data Protection Regulation: Document pool (25.6.2015)
https://edri.org/gdpr-document-pool/

Your ePrivacy is nobody else?s business (30.5.2018)
https://edri.org/your-eprivacy-is-nobody-elses-business/

Cambridge Analytica access to Facebook messages a privacy violation
(18.4.2018)
https://edri.org/cambridge-analytica-access-to-facebook-messages-a-privacy-violation/

(Contribution by Yannic Blaschke, EDRi intern)