Digital Rights Ireland suing Facebook and DPC over data breach
In November, the Data Protection Commission (DPC) fined Meta €265m after a lengthy investigation prompted by reports that a “collated dataset” of user information for 533 million Facebook accounts had been made available on the web. File picture: Brian Lawless/PA
Both Facebook's owner Meta and the Data Protection Commission are being sued by Digital Rights Ireland which claims “justice has been denied” to victims of a massive data breach at the social media giant.
In November, the Data Protection Commission (DPC) fined Meta €265m after a lengthy investigation prompted by reports that a “collated dataset” of user information for 533 million Facebook accounts had been made available on the web.
Some 100 million EU-based Facebook users were affected. The vast majority of the leaked records included phone numbers, names, genders, and Facebook IDs.
While the DPC’s decision confirmed that Facebook had violated several principles of the European flagship GDPR data privacy legislation, it did not accept that this was a data breach which must be notified to the individual victims, according to Digital Rights Ireland.
Furthermore, it said that scammers could still use this “treasure trove” of data to help defraud people.
Its chair, Dr TJ McIntyre, said: “Facebook left the doors unlocked, but the DPC’s decision effectively means that Facebook isn’t responsible to individuals whose data was stolen.
“It denies that there has been any data breach for the actual victims of this failure and means that they do not have to be notified of the breach.”
In a letter to Digital Rights Ireland in December, the DPC said there was no personal data breach within the definition of Article 4 (12) of the GDPR. Under this section of the legislation, a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Digital Rights Ireland is appealing this finding to the Circuit Court.
It argues that the DPC has “denied justice to victims by refusing to declare that there was a data breach or that the leak of the data was unlawful”. Furthermore, it accuses the DPC of operating an unfair procedure to the benefit of Facebook in dealing with the complaint.
“Over 100 million Europeans' data is still downloadable on the web today because of Facebook leaking private, personal data: real names, mobile phone numbers, date of births, and emails, a potential treasure trove for fraudsters,” Mr McIntyre said.
When reacting to the original fine dished out by the DPC in November, Meta said that it had made changes to its systems during the time in question including the ability to “scrape” its features using phone numbers.
"Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge,” it said. “We are reviewing this decision carefully.”
Both Meta and the DPC have been contacted for comment.
