Data privacy regulator launches inquiry over leaked Facebook data

Investigation will look at how personal data for 530m users became public

The investigation covers Facebook’s EU users caught up in the leak because the DPC is the company’s EU regulator under the one-stop-shop mechanism of the sweeping 2018 GDPR data privacy law. Photograph: AFP via Getty
The investigation covers Facebook’s EU users caught up in the leak because the DPC is the company’s EU regulator under the one-stop-shop mechanism of the sweeping 2018 GDPR data privacy law. Photograph: AFP via Getty

The State's data privacy watchdog has started an inquiry into the circumstances around how personal data linked to about 530 million Facebook users worldwide became available online.

The Data Protection Commission said that it had launched an "own-volition inquiry" under data privacy laws in the wake of international media reports into leaked personal information of global users of the social network, including up to 1.5 million people affected in Ireland.

The investigation covers Facebook’s EU users caught up in the leak because the DPC is the company’s EU regulator under the one-stop-shop mechanism of the sweeping 2018 GDPR data privacy law that regulates the company out of country where its EU head office is located.

“The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses,” the regulator said.

READ MORE

“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being infringed in relation to Facebook users’ personal data.”

The regulator said that it "considers it appropriate" to determine whether Facebook Ireland has complied with its obligations as data controller on the process of personal data of users through the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer.

The DPC said that the inquiry will assess whether any parts of the GDPR or Data Protection Act 2018 have been or are being infringed by the company.

‘Cooperating fully’

A spokeswoman for Facebook Ireland said that it was “cooperating fully” with the regulator in its inquiry.

The matter relates to “features that make it easier for people to find and connect with friends on our services,” she said

“These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

In response to the reports, Facebook said last week that “malicious actors” had scraped the data by exploiting a vulnerability in a now-defunct feature on the platform that allowed users to find each other by phone number.

The company has said the personal information was publicly available and “scraped” prior to changes made to the platform in 2018 and 2019 and that the issue was fixed in August 2019.

However, the fact that the matter fell into the period since May 2018, when the GDPR regulation and the DPC’s powers to investigate came into effect, is one reason leading to the DPC’s inquiry.

The regulator has also received complaints from members of the public and other data protection regulators around the EU that their Facebook user data was not publicly available.

Online searches allowed Facebook users to input their mobile phone numbers and email addresses to see if they had been caught up in the data leak.

This is the DPC’s 28th inquiry into a “Big Tech” company involving users across several countries and the 15th into Facebook or its subsidiaries, Instagram or WhatsApp.

Simon Carswell

Simon Carswell

Simon Carswell is News Editor of The Irish Times