Ireland’s Data Protection Commission, the body charged with overseeing Facebook’s privacy compliance in the European Union, said it had opened an investigation into the social media giant on Wednesday. If Facebook is found to have violated the EU’s data rules, it could face a monetary fine of up to 4% of its $86 billion global revenue, Business Insider reported.
Facebook was caught in yet another data scandal earlier this month, when the personal data of over 533 million Facebook users were dumped online for free in a hacking forum. The data included phone numbers that users didn’t make public on their Facebook profiles, which were scraped by cybercriminals in violation of Facebook’s terms of service.
In a statement, the DPC said it believes EU data rules “may have been, and/or are being, infringed in relation to Facebook Users’ personal data.”
“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data,” the regulator said.
Facebook’s earlier attitude toward the data leak was insouciant. The social media platform had downplayed it, saying the data was scrapped due to a vulnerability that the company patched in 2019, and refused to address the matter publicly.
Facebook spokesman said last week the social media company does not plan to notify the hundreds of millions affected by the data breach because it was not confident it had full visibility on which users would need to be notified. Facebook has said it plugged the hole after identifying the problem at the time.
But in response to DPC’s investigation, Facebook spokesman told Insider that it is cooperating with the inquiry, which it said is about how a vulnerability in a Facebook tool made it possible to gather information about a Facebook user by entering their phone number.
“We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place,” the spokesperson said.
Facebook has been enmeshed in a series of private data breach controversies since the notorious Cambridge Analytica, and has been subject of scrutiny in the United States and Europe, with antitrust and the use of private data being the primary concerns.
Following increasing cases of misuse of private information, the EU Commission and other watchdogs have upped their oversight function on how social media platforms manage people’s data.
Late last year, European Union started a new set of laws that will guide the use of data in Europe.
The DPC investigation will probe whether there is legal obligation for Facebook to notify users and European regulators when it found and fixed the vulnerability.
“The Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect,”it said in a statement.
The EU’s data privacy rules, which are regulated by General Data Protection Regulation known as GDPR, require such disclosures — but the GDPR only applies to data processed after 2018, and it’s not yet clear if the leaked Facebook data was scraped before the GDPR went into effect, Insider noted in the report.
The European Commission. Justice commissioner Didier Reynders said on Monday that he had discussed with the DPC head Helen Dixon regarding the Facebook leak and will follow the case closely and is committed to supporting authorities, urging Facebook to cooperate with the investigation.