Irish Regulators Investigate Facebook Data Breach

Ireland’s Data Protection Commission is investigating whether Facebook broke the law when somebody leaked over 500 million users’ data on April 3 (stockcatalog). 

The Data Protection Commission (DPC), an Irish governmental agency responsible for investigating the misuse and poor protection of digital information, launched an inquiry into Facebook on April 14 after a massive data breach. An anonymous poster released personal data from around 533 million Facebook users on a hacking forum on April 3, including users’ personal phone numbers. The breach violated the privacy of approximately one-fifth of Facebook’s 2.6 billion active users.

While announcing the investigation in a press release on its website, the DPC indicated that Facebook may have violated data protection laws in Ireland and the EU: “The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed,” the agency wrote online, referring to the EU’s General Data Protection Regulation and a similar Irish law. Fewer than 2 million of the affected users are Irish, but because Facebook’s European offices are in Ireland, that country has jurisdiction to investigate under the EU’s data protection laws.

Facebook responded to the incident on April 6 by pointing out that all of the information was already publicly available on users’ profiles, and that somebody had simply collected it by “scraping” the website, meaning they used a program to quickly and automatically search public profiles for information. The company pleaded innocent, saying, “This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.” In a leaked internal email, Facebook staff said that they should try to limit press coverage and downplay the data leak as a common problem, saying, “We expect more scraping incidents and think it's important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.”

Under the EU’s General Data Protection Regulation of 2016, companies located in the EU must ensure that personal information is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing.” If the DPC finds through its investigation that Facebook failed to meet these obligations, the statute says that the company could face a fine of up to four percent of its global revenue from the previous year: for reference, Facebook brought in over $84 billion in 2020, meaning that fine could cost the company approximately $3.3 billion.

The EU’s data protection regulations are considered some of the most restrictive in the world, and national enforcement agencies regularly apply them. While the Federal Trade Commission, which enforces US data protection laws, only lists 27 cases of consumer privacy enforcement in 2020 and 2021, the EU has undertaken 451 such cases in the same time period. The largest fine ever issued under the GDPR was a 204.6 million euro penalty against British Airways in 2020, but Facebook could break this record if the DPC finds them guilty. 

Facebook has more active users than any other social media platform in the world, and its network collects and stores all of their data. As technological innovations continue at a rapid pace, the security of that data is simultaneously developing into a greater concern for companies, governments, and individuals who want to stay connected and utilize social media services, but also want to protect their identities and personal information. Although Ireland’s data protection regulations may appear comparatively harsh now, it’s not unlikely that many other national governments, including the U.S., will enact similar legislation in the coming years.