Irish open Facebook probe after Brussels intervention

Irish_2Another day, another Irish Data Protection Commission investigation launches into Facebook’s seemingly blatant disregard for customer data, but this time it is Brussels which has piled on the pressure for the probe.

Facebook and its WhatsApp and Instagram subsidiaries are currently the subject of nearly a dozen Irish DPC investigations but the latest leak, which emerged over the Easter weekend, is by far the biggest, allegedly exposing the personal details of about 533 million users.

Files posted on a hackers’ forum are said to contain details on more than 533 million Facebook users from 106 countries, including 44 million from Egypt, 39 million in Tunisia, 32 million in the US and 11 million in the UK.

As is tradition, Facebook has played down the incident. This time it insists the data, which includes full name, phone number, gender, date of birth, location, relationship status and email address, is not only publicly available but is not covered by GDPR.

However, the Irish DPC believes the leak may breach “one or more provisions” of GDPR and/or the Data Protection Act 2018. The regulator says it is seeking answers from Facebook.

The organisation stated: “Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service.

Crucially, the move comes after the European Commission intervened to apply pressure on Ireland’s data regulator.
European Commissioner for Justice Didier Reynders said earlier this week that he had “had words” with Commissioner Helen Dixon about the leak and urged the social media network to “cooperate actively” and provide more details on the “identified issues”.

The intervention comes amid ongoing criticism of the Irish DPC’s enforcement record. Its recent ruling against Twitter, which saw the tech giant receive a €450,000 (£410,000) fine for data breach failings, caused a rift with a number of EU DPAs who argued that it was not severe enough.

Data protection experts are awaiting a decision on the its latest ruling – against WhatsApp – which, like the Twitter decision, has to be approved by the other EU DPAs as it is a cross-border case.

In a statement, a Facebook spokesperson said that the company was cooperating fully with the Ireland DPC in its investigation.

Related stories
Facebook ‘not bothered’ over data leak affecting 533m
EU regulators mull €50m Irish GDPR fine for WhatsApp
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Twitter fined just €450,000 in first major Irish ruling
Irish data regulator ‘go-slow’ triggers judicial review

The end is nigh: EU chiefs finally sanction Twitter fine
ICO and Irish DPC ‘among the worst GDPR enforcers’
Irish data regulator issues first GDPR ruling in two years
EU chiefs force review of Irish draft GDPR Twitter ruling
Irish data chief hits back over GDPR ‘soft touch’ claims