The GDPR meets its first challenge: Facebook
Facebook’s repeated data breaches are precisely what the General Data Protection Regulation tried to address with its explicit guidelines about reporting breaches. Facebook’s haphazard response has it facing a fine of over $1.6 billion.
Facebook is getting to know privacy legislation pretty well. It has already been fined £500,000 for its involvement in the Cambridge Analytica scandal, the maximum amount allowed under the UK’s old Data Protection Act of 1998. Now that the GDPR is in place, Facebook could face a fine of up to 4 percent of its annual global turnover which, based on its performance over the past fiscal year, could amount to $1.63 billion.
This looming fine stems back to the data breach that Facebook discovered in September of last year. Due to three separate bugs, hackers were able to take advantage of a vulnerability in its “View As” feature and steal the access tokens for roughly 50 million users. These access tokens allowed hackers to take over users’ accounts.
Here Facebook compounded its errors by not being entirely forthcoming. The GDPR requires that companies must notify the relevant data protection authority, in this case, the Irish Data Protection Commission (IDPC), within 72 hours, “where feasible.” This vulnerability was discovered on Sept. 26 and Facebook reported it just within the three-day limit. However, Facebook did not share all the pertinent details, which led the IDPC to tweet on Sept. 30 that they were still waiting on “urgent details of the security breach.”
Facebook’s trouble continued when the social network put out a notification in December that another, unrelated bug had exposed 6.8 million users’ private photos to up to 1,500 different applications for nearly two weeks. This bug had been discovered and fixed back on Sept. 25, and yet Facebook did not alert affected users, the public, or authorities for almost three months.
When asked for an explanation, a Facebook spokesperson told Forbes, “We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour timeframe.”
Facebook has tried different strategies of circumventing the intent of the GDPR. In the first case, it complied with the timeline set out by the GDPR but left out crucial details. In the second case, Facebook interpreted the GDPR to say that a company has an unlimited amount of time to investigate a breach. Once the investigation is complete, and the company has decided that the breach is “reportable,” then the three-day time limit kicks in.
In the same Forbes piece, the IDPC’s Head of Communications commented on the latest Facebook breach, saying “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.” However, the IDPC has stopped short of refuting Facebook’s stated logic about how data breaches should be reported. Nor have they offered any further explanation or guidance on how they will deal with this matter.
After the initial access token breach, most data security experts expected Facebook to get off lightly. In a Guardian story from October of last year, Rowenna Fielding, a senior data protection lead at Protecture Limited said: “The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy.”
Facebook’s repeated infractions have ratcheted up the pressure. This showdown between the IDPC and Facebook could be an early defining moment of the GDPR, showing whether the regulation has teeth or whether it is just hollow words on the page.