Tech

Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR – TechCrunch

Facebook’s parent company Meta has been fined €17 million (~$18.6 million) by the Data Protection Commission (DPC) of Ireland for a series of historic data breaches.

The vulnerabilities in question, which appear to have affected up to 30 million Facebook users, date back several years – and were reported by Facebook to the Irish regulator in 2018.

The DPC, the leading privacy regulator of Meta/Facebook in the European Union, initiated this security-related investigation in late 2018 after receiving no fewer than 12 data breach notifications from the tech giant in the six months between June 7, 2018 and December 4, 2018 .

The European Union’s General Data Protection Regulation (GDPR) – which came into force in May 2018 – requires data controllers to immediately report personal data breaches to a supervisory authority where the information leak is likely to pose a risk to individuals. (The most serious violations should be reported within 72 hours.)

“The research examined the extent to which meta-platforms meet the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the , have fulfilled twelve reports of security breaches,” the DPC wrote in a press release Announcing a final decision on his Facebook investigation.

“As a result of its investigation, the DPC found that meta-platforms violate Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms had not implemented adequate technical and organizational measures that would allow it to readily demonstrate the security measures it had implemented in practice to protect EU users’ data in relation to the 12 personal data breaches.”

In a statement responding to the DPC’s punishment, a meta spokesman attempted to downplay the episode as a mere case of historically lax reporting – writing:

“This fine is about record-keeping practices dating back to 2018, which we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as we further develop our processes.”

The penalty announced by the DPC is Ireland’s first final decision on a GDPR investigation against Facebook itself since the regulation began applying almost four years ago – although the regulator issued it last year, a separate (major) sanction against Facebook-owned WhatsApp for violations of transparency rules.

The DPC confirmed that its draft decision on this Facebook investigation faced some objections from other EU data protection authorities – something that also emerged in a previous investigation into a Twitter security breach as well as the transparency decision on WhatsApp. (And in both cases, the GDPR’s dispute resolution mechanism resulted in higher penalties than Ireland had proposed.)

The DPC said two other agencies objected to its draft decision on this Facebook investigation. However, Ireland does not indicate whether the fine was increased as a result of the objections, nor which authorities objected (or why).

It’s worth noting that the penalty is relatively small — certainly a far cry from the theoretical maximum of 4% of Meta’s worldwide annual sales (which would be well over $1 billion).

In the end, however, the DPC fined Twitter an even smaller amount (~$550,000). 2020also because of administrative deficiencies related to a security breach notification.

While there are likely to be differences in the errors in each case, it’s fairly clear that security breaches deemed unintentional by EU authorities are likely to result in lower penalties than systematic or blatant breaches of the rules.

From this also follows a A slew of omissions has earned Facebook a heavier penalty than Twitter, which reported just a single violation (rather than a dozen).

Big token hack

The details of all 12 vulnerabilities admitted to by Facebook over the course of the 2018 six-month period are not listed by the DPC in its announcement of the sanction – but in Sept 2018 The tech giant publicly announced a major hack it believed affected at least 50 million accounts after hackers exploited a vulnerability on the site.

Facebook then claimed that only 30 million users actually had their tokens stolen in the hack.

The mistake that dated July 2017had allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password – meaning stolen tokens could allow hackers to break into accounts.

However, this major token hack wasn’t the only security breach for the tech giant in 2018.

in the JuneFacebook notified users of a bug that had created a vulnerability for several days the previous month that allegedly inadvertently changed the proposed privacy setting for status updates to public, whatever users had set – potentially prompting up to 14 million users to share You share sensitive content that only friends can access too often with strangers.

Another bug we reported in Nov 2018had allowed any website to pull information from a Facebook user’s profile — including their likes and interests — without that person’s knowledge.

And later that same year, in DecemberFacebook has publicized a bug in the Photos API that allegedly gave app developers too much access to the photos of up to 5.6 million users.

This string of vulnerabilities followed closely on its heels The History of Cambridge Analytica Breaking into a global scandal – in March 2018 — as revelations that Facebook user data was being siphoned off its platform to be repurposed for targeted advertising by the Trump campaign to opaquely influence the US election wiped out billions of dollars in its share price.

The Cambridge Analytica scandal also prompted legislators and regulators around the world to take a closer look at Facebook’s handling of personal data – and ultimately helped prompt moves to overhaul and strengthen regulation of digital platforms (such as Facebook). UK’s forthcoming online safety legislation or the EU law on digital services).

However, because the Cambridge Analytica scandal occurred before the GDPR came into force, Facebook largely avoided direct regulatory sanctions in Europe for this particular episode. Had the timing been slightly different, there could be a slightly larger penalty now.

The UK Information Commissioner’s Office has fined Facebook £500,000 over Cambridge Analytica, the maximum possible under its pre-GDPR data protection regime. Though Facebook challenged the regulator’s decision – before agreeing to drop its appeal and pay the fine for the ICO settlement without admitting liability. Later it turned out that the ICO had agreed to be gagged on the terms of this settlement.

The final results of the full platform app audit Facebook claimed it was taking action in the wake of the Cambridge Analytica scandal to reassure users that it was cleaning up bad actors and banning user data while never seeing the light of day.

Since then, the GDPR has introduced stricter legislation against data breaches – at least across the EU (the UK is no longer a member state) – but long delays between data breaches and enforcement remain hinder the smooth functioning of the regulation.

Ireland’s broader record of cross-border cases means that a single decision against Facebook now is unlikely to do anything to alleviate it sharp criticism of the pace of GDPR enforcement against Big Tech – not least in view of this multiple other Facebook requests remain undecided. (And as we reported yesterday, the DPC will now sued for inaction via a separate GDPR complaint targeting Google’s adtech.)

It is therefore probably no coincidence that the regulatory authority – even today – decided to publish it a report on handling cross-border GDPR cases.

Among the statistics it select Spotlight are the following claims (for the period May 25, 2018 to December 31, 2021):

  • 1,150 valid cross-border complaints received by the DPC; 969 (84%) as Lead Regulatory Authority (LSA) and 181 (16%) as Concerned Regulatory Authority (CSA).
  • 588 (61%) cross-border complaints handled by DPC as LSA were originally lodged with another supervisory authority and forwarded to DPC.
  • 65% of all cross-border complaints handled by the DPC as LSA since May 2018 have been closed, with 82% of complaints received in 2018 and 75% of complaints received in 2019 now closed.
  • Of the 634 closed cross-border complaints handled by the DPC as LSA, 544 (86%) were resolved through amicable settlements in the interest of the complainant.
  • 72 (22%) open cross-border complaints are linked to an investigation and will be closed upon completion of the investigation. A majority of the remaining open complaints from 2018 and 2019 are linked to an inquiry.
  • 86% of all cross-border complaints handled by the DPC as LSA relate to just 10 data controllers.
  • 38% of complaints referred by the DPC to other LSAs in the EU/EEA (excluding the UK) have been closed.

Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR – TechCrunch Source link Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR – TechCrunch

Related Articles

Back to top button