The Irish Data Protection Commission (DPC) has launched an inquiry into Facebook over concerns the social media giant may not have properly disclosed the full extent of a historic data leak and that it failed to report a subsequent breach within the necessary 72-hour timeframe.
Scrutiny from the data regulator came after a dataset containing 533 million users’ personal details recently resurfaced on a hacking forum.
Facebook said the data had been recycled from hacks that had already been publicly disclosed after occurring between June 2017 and April 2018—prior to when the General Data Protection Regulation (GDPR) came into force.
The company added, however, that hackers had been scraping data from people’s Facebook profiles “prior to September 2019” through its “contact importer,” a feature designed to help users find friends to connect with using their Facebook contact lists.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer,” said Mike Clark, Facebook’s product management director, in an April 6 blog post.
Under the GDPR, companies have a requirement to inform regulators of a breach within 72 hours.
Facebook’s apparent admission of failing to report—published the same day as the Irish DPC’s initial announcement but several hours later—prompted the data regulator to send the company a detailed list of questions and demands for further information.
A source told Compliance Week that Facebook had an April 9 deadline to answer the regulator’s requests.
On Wednesday, the Irish DPC launched an own-volition inquiry under the GDPR, as well as under Section 110 of the (Irish) Data Protection Act 2018 for any infringement of users’ data prior to the GDPR coming into force.
In a statement, the regulator said: “The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data.”
This latest GDPR inquiry is the 10th Facebook faces in Ireland.
Lawyers have suggested given the number of users involved in the possible breach, a fine—if applicable—could be sizeable. Several experts also believe the company could face multiple class actions.
A Facebook spokesperson said the company is “cooperating fully” with the investigation: “These features are common to many apps, and we look forward to explaining them and the protections we have put in place.”