Irish regulator opens GDPR inquiry into Facebook data leak

Facebook could face a financial penalty of up to 4 per cent of its $86 billion global revenue

Ireland's Data Protection Commission (DPC) has launched an inquiry into the Facebook data leak, which allegedly exposed the personal details of about 533 million users earlier this month.

The DPC believes the leak may breach 'one or more provisions' of the EU's General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018.

The regulator is in contact with Facebook Ireland and has raised queries in relation to GDPR compliance.

'Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service,' the regulator stated.

If the DPC finds Facebook guilty, the company could face a financial penalty of up to 4 per cent of its $86 billion (£62 billion) global revenue.

The DPC's move to open a probe into the data leak comes after the European Commission intervened to apply pressure on Ireland's data regulator.

European Commissioner for Justice, Didier Reynders, said earlier this week that he had spoken with Ireland's Data Protection Commissioner, Helen Dixon, about the Facebook leak.

Reynders urged the social media network to "cooperate actively" and provide more details on the "identified issues".

https://twitter.com/dreynders/status/1381663631981617163?ref\\_src=twsrc%5Etfw

In a statement, a Facebook spokesperson said that it was cooperating fully with the Ireland DPC in its investigation.

The spokesperson added the matter relates to a feature that enables people to connect with their friends on Facebook platform.

According to Bleeping Computer, Russia's telecommunications watchdog Roskomnadzor has also asked Facebook to provide complete information about the data leak. It has also urged the company to take 'all necessary measures' to prevent such leaks in future.

'No need' to notify

The latest Facebook data leak, which was reported earlier this month, exposed the personal details of more than 533 million users from 106 countries. The worst-hit countries include Egypt (44 million records), Tunisia (39 million), the USA (32 million) and the UK (11 million).

Exposed details included users' full names, phone numbers, gender, date of birth, location, relationship status and email address.

Responding to the reports on the leak, Facebook said it was related to an 'old' bug that was fixed by 2019. It added that malicious actors scraped the data using Facebook's contact importer tool before September 2019.

Last week, Facebook said it did not intend to notify the users whose details were leaked.

A Facebook spokesperson told Reuters that the company was not confident that it had full visibility on which users would need to be informed.

The spokesperson added that Facebook also took into account that it was not possible for users to fix the issue at their end, and that the "[scraped] data was publicly available".