Facebook may have breached data protection regulations after the personal information of 533 million of its users was leaked online, Ireland’s data authority has said, as it announced an investigation into the social media giant.
Ireland’s Data Protection Commission (DPC) said in a statement on Wednesday that it will launch an inquiry in relation to media reports of a freely available online dataset containing users’ personal details.
The DPC said “one or more provisions” of the EU’s General Data Protection Regulation (GDPR), as well as Ireland’s Data Protection Act 2018, “may have been, and/or are being, infringed” by the huge breach.
It added that it has worked with Facebook Ireland to determine if the platform has “complied with its obligations” in relation to its search facility and contact-uploading services in Messenger, and also in Instagram, which is owned by Facebook.
Earlier this month, Business Insider reported that the details of 533 million Facebook users from 106 countries were made public online due to an issue the company said it fixed in 2019.
The dataset reportedly includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and email addresses.
Last week, a Facebook spokesperson responded to the story by saying “malicious actors” had obtained the data through “scraping” – a form of data extraction from web pages.
They said the company was “confident” the issue that allowed the mass scraping had been fixed, and stressed that the data taken did not include passwords, or financial or health information.
Another Facebook spokesperson said last week that the company had not notified the affected users and does not have plans to do so, as it is not confident which users need to be contacted.
Last month, the European Parliament adopted a resolution in which it voiced concerns that the GDPR was not being implemented as it should be, including in Ireland.
Some high-profile tech firms such as Facebook have registered their EU headquarters in Ireland and, until a recent European Court of Justice decision, privacy complaints against them could only be pursued by the Irish data authority.
The EU parliament’s resolution said it was “particularly concerned” that the DPC “generally” does not use sanctions in most cases, instead closing most cases with a settlement, and that some cases referred to it in 2018 have “not even reached the stage of a draft decision.”
The European commissioner for justice, Didier Reynders, said on Monday that he had spoken about the leak with Helen Dixon, the DPC’s data protection commissioner, and called on Facebook to swiftly “shed light” on the matter.
Like this story? Share it with a friend!