The incident involving more than 500m users is a critical test for the DPC’s effectiveness as a one-stop-shop
The investigation has got off to a slow start: The Irish Data Protection Commission (DPC) is launching an investigation into Facebook after media reports more than 10 days ago that the personal data of more than 500m users was found available online. While the data appears to be several years old, it includes phone numbers, Facebook IDs, full names, locations, birthdates, and email addresses of users from 106 countries. While the DPC was quick to say it would establish the facts, it only launched a formal inquiry on 14 April.
Facebook tries to shift the blame: Facebook is portraying the incident as a ‘scraping’ exercise – i.e. lifting public information from the internet through automated software – rather than the result of hacking. This is noteworthy since it’s an attempt of the company to avoid the consequences of failing to report the incident. Should the leak be considered as a data breach, Facebook could incur the high fines of the GDPR – up to 4% of its annual worldwide revenue. The sheer scale of the leak and the company’s failure to report it quickly would certainly be a consideration when it comes to the setting of any fine. In recent weeks other companies have adopted the same defense. LinkedIn suffered a data breach on a similar scale on 8 April, and Clubhouse shortly after (although considerably smaller) on 10 April. However, such a strategy is not guaranteed to work. It is unclear whether the information obtained was actually public, and in any case is not relevant in the definition of a data breach under the GDPR.
The DPC must show it is up to the job: The one-stop-shop provisions in the GDPR make the DPC the lead authority for cases involving companies established in Ireland, such as Facebook and other Big Tech companies. Since the GDPR came into force, other authorities have repeatedly voiced their concerns about the DPC being slow and ineffective in taking action, and have disputed the effectiveness of the one-stop-shop mechanism. It is worth noting that the Italian DPA launched its own investigation into the LinkedIn breach, and the Hamburg DPA in Germany did the same for the Facebook case. A clear sign that their patience towards the DPC’s handling of affairs is running out.
