Europeans affected by Facebook leak urged to join mass action lawsuit

Irish civil rights group Digital Rights Ireland says affected people could be awarded between €300 and €12,000

Social media giant Facebook is facing a mass action lawsuit in Europe over the recently reported data leak, which exposed the personal details of more than 530 million users online.

Irish civil rights group Digital Rights Ireland (DRI) says it plans to sue the tech giant in Irish courts on behalf of the thousands of Facebook users whose data was exposed.

The group has made a formal complaint to the Irish Data Protection Commission (DPC), and is preparing to take the case to court.

DRI alleges that Facebook not only failed to implement privacy by default to protect users' data, but also failed to notify the DPC or victims.

The rights group is inviting affected Europeans to join the lawsuit. People who are impacted and join the legal challenge could be awarded between €300 and €12,000 (£260 - £10,370) per person in damages.

'If you live in the European Union or European Economic Area, you can seek monetary damages from Facebook. The GDPR (General Data Protection Regulation) gives you the right to monetary compensation where your data protection rights have been breached,' the DRI states on its website.

Nearly 1.5 million people in Ireland are said to have been affected by the breach.

Antoin O Lachtnain, director of DRI, called the scale of the breach "gobsmacking." He added, "Facebook's handling of this breach has been entirely inadequate. This will be the first mass action of its kind but we're sure it won't be the last."

DRI chairman TJ McIntyre said forcing digital giants like Facebook to compensate users whose privacy rights were violated "is the most effective way to really change the behaviour of these big tech companies.

"The prospect of class and mass actions is going to be a major impetus for the largest and most profitable of tech companies to become legally compliant and stop treating user data like a commodity," he added.

The Facebook leak, reported earlier this month, exposed reams of personal information on users from more than 100 countries. That information included full names, phone numbers, gender, date of birth, location, relationship status and email addresses.

The company claimed the leak was related to an 'old' bug that was fixed by 2019. It added that malicious actors scraped the data using Facebook's contact importer tool before September 2019.

The company has since said that it does not intend to notify users whose details were leaked.

Last week, Ireland's DPC announced that it had opened an inquiry into the leak, which might have breached 'one or more provisions of the EU's General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018'.

The regulator is in contact with Facebook Ireland and had raised queries in relation to GDPR compliance. If it finds Facebook guilty, the company could face a financial penalty of up to 4 per cent of its $86 billion (£62 billion) global revenue.

The DPC's move to launch an investigation came after the European Commission intervened to apply pressure. Didier Reynders, the European Commissioner for Justice, said that he had spoken with Ireland's Data Protection Commissioner, Helen Dixon, about the leak.

Last week, France's secretary of state for digital transition Cédric O also said that his country was expecting strong action from the DPC in the case, and that France could seek to rewrite EU rules if the Irish regulator fails to show its teeth to the tech giant.