8/16/2023 0 Comments Facebook privacy breach![]() ![]() Therefore it finds no infringement of the security of processing as defined by the GDPR - so no personal data breach, under the regulation and, consequently, no direct liability link to individuals for exposing their information and no need for the tech giant to consider whether it should inform affected users of a security breach. So, essentially, the Irish regulator’s finding asserts that the Facebook data scraping breach occurred because of the design of Meta’s systems being insecure - yet, simultaneously, declines to find that users’ data was exposed because of a security vulnerability. In the letter, the DPC also asserts that: “The configuration of the Meta systems permitted such scraping to occur at the material time and this was the basis upon which the DPC found an infringement of Article 25.” Accordingly, as security was not infringed, there was no personal data breach within the definition of Article 4(12) and for that reason Article 34 was therefore not applicable. The facts of this case, as established by the DPC, led to a conclusion that the data was not collated arising from exposure as a result of a security vulnerability falling for examination under Article 32 GDPR, but rather arose as a result of the very design of the relevant features of the platforms. And in an update sent by the DPC to DRI in December, which has been shared with TechCrunch, the regulator writes: The total number of affected Facebook users globally is estimated to number around 533M - so the EU component of this data-scraping breach is also just the tip of the iceberg.įollowing media reports of the data-scraping breach last year, DRI complained to the DPC on behalf of two data subjects whose information had been exposed - which led on to the DPC opening an own volition enquiry in April 2021. ![]() The design of this feature was insecure in that it allowed large sets of phone numbers to be uploaded - enabling malicious actors to find phone numbers that matched Facebook profiles and, via this method, collate a massive data-set on individuals that included (in the majority of cases) phone numbers, names, genders and Facebook IDs that was later found exposed online.ĭata-sets containing linked names and phone numbers plus social media profile information offer what DRI calls a “treasure trove” for fraudsters to target people - such as via phishing and social engineering techniques. ![]() The unknown entity/entities involved in the breach were able to obtain data on Facebook users by using a contact importer feature the platform had offered up to September 2019. However the regulator’s decision avoided doing that. And had the DPC’s decision acknowledged a security breach it would have simplified such litigation in this case. Such mass legal actions have been on the uptick in the region in recent years - and are set to be bolstered this year as enforcement of the EU’s Collective Redress Directive begins. ![]() Instead Meta could pay a fine representing a tiny fraction of its revenue to make the matter go away.Ī finding of an administrative breach of GDPR - rather than a security breach, which would identify Facebook as liable to the individuals whose personal data was exposed - also looks relatively convenient for the tech giant when it comes to potential liability over the episode given affected individuals could pursue class-action style litigation for damages. However the lack of a finding by the DPC of a breach of the security of processing (aka Article 32 of the GDPR) meant there was no requirement for Meta to notify the 100 million or so EU-based Facebook users whose information was exposed and subsequently posted to online forums via the data-scraping of Facebook users carried out by unknown “malicious actors”. Instead, in a final decision of Novemon an own volition enquiry the DPC opened in response to the incident, it found a breach by Meta of the GDPR’s requirement for data protection by design and default. The legal action, reported earlier by the Irish Examiner, is being brought by the digital rights group, Digital Rights Ireland (DRI) - which raised a complaint about the breach on behalf of two affected individuals and is unhappy about the finding by the Irish regulator that no security breach occurred. Facebook-owner Meta and its lead data protection regulator in the European Union, the Irish Data Protection Commission (DPC), are facing an interesting legal challenge over a major data-scraping breach that led to a €265 million penalty for Facebook last year under the bloc’s General Data Protection Regulation (GDPR). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |