Facebook’s massive data leak starts to have important knock-on effects – and potentially serious ones for Ireland

Posted on Apr 20, 2021 by Glyn Moody
Facebook privacy issues

A couple of weeks ago, this blog wrote about Facebook’s huge data leak of 533 million personal data records online. As that post noted, despite the huge numbers involved, this wasn’t the first time sensitive data had been exfiltrated from Facebook on this scale. And yet on this occasion something has changed. Certainly not Facebook’s cavalier attitude to the harm it has caused its users. It has still not offered any apology, or even bothered formally notifying users of the breach.

Instead, it seems to think that by constantly repeating the word “privacy” like a mantra, people will believe that it is doing enough to protect sensitive personal data. For example, last week, it issued a press release entitled “How We Combat Scraping“. It ended with a section “What You Can Do to Help Keep Your Data Safe”, which used the word “privacy” six times, and basically implied that the data breach was somehow users’ fault, and that they really ought to be more careful in future.

A few days later, the company thought it needed to emphasize that despite carelessly allowing half a billion user profiles to be scraped from its site, it really cares about privacy. So it issued another press release, detailing “Our Privacy Progress and the Path Ahead“. This cleverly tries to insinuate that the company has made progress, despite yet another loss of data. And to prove it, Facebook has published what it calls a Privacy Progress Update, including this “Commitment to Changing”:

We’ve previously shared our commitment to changing our privacy approach and investing in efforts to ensure we protect people’s privacy. We are making progress on our work to build a stronger privacy foundation by designing processes and technical mechanisms that drive accountability and ensure privacy is everyone’s responsibility at Facebook.

The main element here seems to be to claim that despite its continuing failures, this time it’s really serious about putting privacy at the heart of Facebook. Exactly as Mark Zuckerberg said in 2019: “I know that we don’t exactly have the strongest reputation on privacy right now, to put it lightly. But I’m committed to doing this well, and starting a new chapter for our products.” Presumably he’ll be saying the same in 2023, 2025, and so on into the distant future. Or maybe not. Because even if Facebook is unwilling – or unable – to address its massive privacy disasters, other people have had enough, and aim to do something about it. For example, Digital Rights Ireland, the leading digital privacy group in that country, has just started legal action against Facebook under the GDPR:

If you live in the European Union or European Economic Area, you can seek monetary damages from Facebook. The GDPR (General Data Protection Regulation) gives you the right to monetary compensation where your data protection rights have been breached.

Digital Rights Ireland are commencing a ‘mass action’ against Facebook on behalf of users who have been affected. You can sign up now to get details of how to join the case.

Digital Rights Ireland (DRI) is not to be underestimated. Legal action instigated by the group led to the EU’s entire data retention law being thrown out by the Court of Justice of the European Union in 2014. The DRI has also filed a complaint on behalf of individuals whose personal details were leaked by Facebook, with Ireland’s Data Protection Commission (DPC). Because of the way the GDPR is enforced, it is the DPC that would examine whether Facebook should be fined over the latest leak. And that is precisely what the DPC has just announced it will do:

the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect.

However, as Privacy News Online has noted, the DPC has opened a number of investigations into Facebook in the past, and yet has failed to impose any fines as a result. Its credibility is already on the line, so perhaps the high profile Facebook leak will finally force it to act and to impose a serious fine on the company just to prove that it is not a paper tiger. There’s an interesting new factor that makes doing so even more imperative. As the Irish Council for Civil Liberties (ICCL) points out, the US senator Ron Wyden has proposed a new Bill to impose export controls on personal data about US citizens flowing to other countries that have inadequate data protections. If Ireland were designated as having inadequate protection for US personal data, it would be unable to process the data of customers in the US, and that would be a major problem for the many computer companies located in Ireland. That’s similar to the GDPR requirement of “adequacy” of data flows to the US and elsewhere.

ICCL understands from those who wrote the draft Bill that Ireland’s failure to enforce the GDPR is of particular concern. The Bill intentionally uses language from the GDPR, and targets this enforcement failure. The draft Bill makes clear that merely enacting strong data protection law such as the GDPR is not enough. That law must be enforced.

If the DPC fails to tackle Facebook and other companies over their failure to obey the GDPR, Ireland might find itself cut off from US data flows thanks to laws modelled on the GDPR – an ironic turn of events.

Featured image by fotoblend.