Instead, in a final decision of Novemon an own volition enquiry the DPC opened in response to the incident, it found a breach by Meta of the GDPR’s requirement for data protection by design and default. The legal action, reported earlier by the Irish Examiner, is being brought by the digital rights group, Digital Rights Ireland (DRI) - which raised a complaint about the breach on behalf of two affected individuals and is unhappy about the finding by the Irish regulator that no security breach occurred. “It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.Facebook-owner Meta and its lead data protection regulator in the European Union, the Irish Data Protection Commission (DPC), are facing an interesting legal challenge over a major data-scraping breach that led to a €265 million penalty for Facebook last year under the bloc’s General Data Protection Regulation (GDPR). “The data at issue appears to have been collated by third parties and potentially stems from multiple sources,” the Irish data protection body reported Facebook as saying. It is believed that the breach to which Facebook refers is a vulnerability in the contact importer feature of the platform, which allowed users to directly find others using phone numbers, across Facebook and Instagram.Ī loophole in the system allowed for hackers to imitate Facebook administrators to pair up users to phone numbers.ĮURACTIV understands that a sample of the data posted on hacker forums this weekend matches that which had previously surfaced as part of the contact importer vulnerability that was fixed in late August 2019.įor their part, Facebook was keen to inform the Irish data protection body that an ‘extensive investigation’ is underway to get to the bottom of the leak. ![]() The statement to the Irish DPC is therefore at odds with the earlier Facebook position, which had noted the vulnerability to be fixed in August 2019 – which would have placed additional legal obligations on the company under the EU’s GDPR. The EU’s general data protection regulation (GDPR), which came into effect in May 2018, would have imposed legal obligations on Facebook to notify the competent data protection authority within 72 hours, as well as potentially notifying users without undue delay.īut, “because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the statement from the Irish data watchdog read. However, speaking to the Irish data protection commission on Tuesday (6 March) – the competent body for dealing with the company’s violations against EU data protection law – Facebook said that it had ‘closed off a vulnerability in its phone lookup functionality’ by April 2018. In response to the news, Facebook’s communications department said that the data “was previously reported on in 2019” and that the company “found and fixed this issue in August 2019.” ![]() The figures detail that around 100 million EU citizens may have been impacted by the data leak, including 36.6 million users from Italy, 10.9 million from Spain, and six million from Germany. ![]() Some email addresses also appeared to have been scraped. Over the weekend (3-4 April), the personal data of millions of Facebook users appeared on an online hacking forum, including phone numbers, Facebook IDs, biographical information, and locations. Facebook has told the Irish Data Protection Commission that a breach involving the personal information of 533 million users worldwide took place prior to the entry into force of the EU’s General Data Protection Regulation in 2018, and the company therefore ‘chose not to notify’ the violation to the authorities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |