Ireland’s Data Protection Commission this week launched an investigation into whether Facebook failed to adequately protect users' personal info – and whether it fell foul of GDPR – when a package of 533 million profiles was given away for free online.
Phone numbers, email addresses, birthdays, and marital status had been offered on a cyber-crime forum for all, it emerged this month. The data was harvested in 2019 by miscreants who exploited a security shortcoming to scrape the info from people's Facebook profiles.
Facebook previously told El Reg it patched up the security hole that same year. The data was flogged online in 2020, and was made available for free this year.
Zuck it up: Facebook hit with triple whammy of legal probes, action in Canada, US, IrelandREAD MORE
Now, Ireland’s data privacy watchdog believes “one or more provisions” of the GDPR and the Data Protection Act 2018 may have been, or are still being, violated by the Silicon Valley giant when it comes to the personal data of Facebook users.
“Accordingly, the commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect,” it said in a statement on Wednesday.
“We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services,” a Facebook spokesperson told The Register. “These features are common to many apps and we look forward to explaining them and the protections we have put in place.”
It’s not the first time Facebook has caught the attention of the watchdog. In 2019, the commission investigated whether the antisocial media giant had trampled over GDPR when it logged hundreds of millions of user account passwords in plain text on its servers. Companies can be fined up to €20 million ($24.1m), or up to four per cent of their previous year’s global annual revenues, depending on which is higher, if they have violated GDPR. ®