Ireland’s Data Protection Commission (DPC) has initiated an own-volition inquiry under section 110 of the Irish Data Protection Act of 2018 following the leak of a vast tranche of personal data on Facebook users that had been scraped from the site.
The leaked data was scraped from Facebook some time ago by malicious actors who took advantage of a vulnerability in a contact-sharing feature. This exploit is no longer possible because it was locked down after being discovered, but not before someone had made off with the data.
Earlier this year, the trove resurfaced after being offered for sale on a dark web marketplace. Notably, it contains mobile phone numbers that Facebook users had linked to their accounts, increasing the risk of becoming victims of crime. About 1.5 million Irish people had their data compromised through the leak, and 11.5 million Britons.
Facebook is yet to apologise for the leak or acknowledge the concerns of its users and has no plans to proactively contact them.
In a statement, the DPC said: “The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR [General Data Protection Regulation] compliance, to which Facebook Ireland furnished a number of responses.
“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data.
“Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect.”
The DPC had previously held back on launching a formal investigation, saying that because much of the leaked data seemed to have been scraped before the GDPR came into force, a successful enforcement action may not be possible.
The launch of an investigation by the Irish authorities is significant because Ireland remains home to Facebook’s European headquarters. This means the DPC would act as the lead regulator within the European Union on all matters related to it.
In a statement circulated to media outlets, Facebook said: “We are cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”