Facebook parent company Meta has been fined 17 million euros (~$18.6 million) by the Irish Data Protection Commission (DPC) for a series of historic data breaches.
The vulnerability in question, which affects 30 million Facebook users, originated several years ago and was disclosed by Facebook to the Irish regulator in 2018.
Meta/Facebook’s top privacy regulator in the EU, the DPC, closed this security-related investigation at the end of 2018 after receiving at least 12 reports of data breaches from the tech giant over a six-month period from June 7, 2018 to December. . , 4 2018.
The EU General Data Protection Regulation (GDPR), which came into force in May 2018, requires data controllers to immediately report a personal data breach to a supervisory authority if the breach could pose a risk to individuals. (Most serious violations must be reported within 72 hours.)
“The survey examined the extent to which the META platform complies with the requirements of Articles 5(1)(f), 5(2), 24(1) and 32(1) of the GDPR regarding the processing of relevant personal data. . Twelve reports of violations,” the DPC said in a press release announcing the final decision on the Facebook investigation.
“As a result of the investigation, the DPC found that the Meta Platform violated Articles 5(2) and 24(1) of the GDPR. DPC has found that the Meta Platform lacks appropriate technical and organizational controls that would allow it to demonstrate easy-to-implement security measures. in behavior To protect the data of users from the EU in the context of 12 personal data leaks.
In a statement in response to the DPC’s verdict, a spokesman for META attempted to downplay the episode as a case of historically free registration, writing:
“This penalty is related to keeping records from 2018 that we have updated, not to a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes evolve.”
The fine announced by the DPC is Ireland’s first final ruling on Facebook’s GDPR investigation since the ruling went into effect almost four years ago, although the regulator issued a separate (larger) sanction against Facebook-owned WhatsApp last year. transparency rules.
The DPC confirmed that its draft decision on this Facebook investigation has faced some objections from other EU data protection authorities — something that has happened in previous Twitter security breach investigations, as well as WhatsApp transparency decisions. (And in both cases, the GDPR dispute resolution mechanism resulted in higher penalties than Ireland had proposed.)
The DPC said two other officials objected to the decision to investigate Facebook. But Ireland does not specify whether the fines were increased as a result of the objections, or which authorities objected (or why).
It is worth noting that the penalty is relatively small – it is certainly far from the theoretical maximum of 4% of Meta’s global annual turnover (which will exceed a billion dollars).
However, at the end of 2020, the DPC imposed an even smaller fine (~$550k) on Twitter due to administrative loopholes related to the security breach notification.I
While there may be different variations on what went wrong in each case, it is clear that security breaches that EU officials consider accidental are likely to result in fewer fines than systematic or serious rule violations.
It is also so that The many errors resulted in Facebook being fined more than Twitter, which only reported one violation (rather than a dozen).
big token hack
Details of all 12 vulnerabilities that hit Facebook in six months of 2018 were not disclosed by the DPC when it announced its approval, but in September 2018 the tech giant publicly disclosed a major hack that it reduced. . 50 million accounts after hackers exploited a security loophole on the site.
Facebook then claimed that only 30 million users had tokens stolen during the hack.
Beginning in July 2017, a bug allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password, meaning that the stolen tokens were given to the hackers, allowing accounts to be hacked.
However, this major token hack was not the only security flaw for the tech giant in 2018.
In June, Facebook notified users of the bug that caused the vulnerability a few days earlier, when the company inadvertently changed the proposed status update privacy setting to public no matter what the user did, potentially reaching 14 million. For users to share sensitive content that is too much for friends to do with strangers.
Another bug we reported in November 2018 allowed any website to extract information from a user’s Facebook profile, including their “likes” and interests, without the person’s knowledge.
And later that year, in December, Facebook publicly reported a Photos API bug that was giving app developers too much access to photos of up to 5.6 million users.
This series of security flaws follows the story of Cambridge Analytica, which caused a global scandal in March 2018 when the Trump campaign’s exposure of Facebook user data for targeted advertising was removed from its platform. The U.S. election opaquely wiped billions of dollars from its stock price.
The Cambridge Analytica scandal also prompted legislators and regulators around the world to step up their investigation into Facebook’s handling of people’s information, which eventually led to measures to increase scrutiny and regulation of digital platforms (such as UK inbound online security). law or the European Union Digital Services Act).
But because the Cambridge Analytica scandal preceded the introduction of the GDPR, Facebook largely avoided direct sanctions from regulators in Europe over this particular episode. Had the times been a little different, a slightly larger fine would have been expected now.
The UK Information Commissioner’s office has fined Facebook £500,000 for Cambridge Analytica, the maximum possible under the pre-GDPR data protection regime. However, Facebook contested the regulator’s decision before agreeing to withdraw the appeal and paying the ICO settlement fee without accepting any liability. It was later revealed that the ICO agreed to remain silent on the terms of this agreement.
The final results of the platform-wide application audit, Facebook said it would do so after the Cambridge Analytica scandal to reassure users that it was clearing the bad guys and blocking user data while coverage never happened. seeing the day. saw.
The GDPR has since introduced a strong legal regime against data abuse – at least in the European Union (the UK is no longer a member state) – but data scandals and long delays between enforcement have kept the regulation functioning smoothly. .
Ireland’s extensive track record in cross-border cases means a single court ruling against Facebook is unlikely to do anything to quell sharp criticism of the GDPR’s pace of big tech compliance, at least given the fact that many of Facebook’s other investigations remain inconclusive. (And as we reported yesterday, the DPCs are now being sued for inaction in a separate GDPR complaint against Google Education Tech.)
Therefore, it is no coincidence that even today the regulator decided to publish a report on the examination of cross-border cases of the GDPR.
The data he is trying to disclose states the following (for the period May 25, 2018 to December 31, 2021):
- DPC received 1150 valid cross-border complaints; 969 (84%) as primary supervisory authority (LSA) and 181 (16%) as interested supervisory authority (CSA).
- 588 (61%) of the cross-border complaints processed by the DPC as an LSA were initially filed with another supervisory authority and transferred to the DPC.
- Since May 2018, 65% of all cross-border complaints processed by DPCs as LSAs have been resolved, of which 82% in 2018 and 75% in 2019 were resolved.
- Of the 634 cross-border complaints handled by the DPCs as LSAs, 544 (86%) were settled by amicable settlement in the complainant’s interests.
- 72 (22%) pending cross-border complaints are related to an investigation and will be closed upon completion. Most of the outstanding complaints in 2018 and 2019 are related to the investigation.
- Of all cross-border complaints handled by the DPC as an LSA, 86% relate to only 10 data controllers.
- 38% of complaints referred by the DPC to other CSRs in the EU/EEA (except the UK) were resolved.