Facebook-owner Meta and its lead data protection regulator in the European Union, the Irish Data Protection Commission (DPC), are facing an interesting legal challenge over a major data-scraping breach that led to a €265 million penalty for Facebook last year under the bloc’s General Data Protection Regulation (GDPR).
The legal action, reported earlier by the Irish Examiner, is being brought by the digital rights group, Digital Rights Ireland (DRI) — which is unhappy about the finding by the Irish regulator that no security breach occurred. Instead, in a final decision of November 25 2022 on an own volition enquiry the DPC opened in response to the incident, it found a breach by Meta of the GDPR’s requirement for data protection by design and default. Hence levying a fine.
However the lack of a finding by the DPC of a breach of the security of processing (aka Article 32 of the GDPR) meant there was no requirement for Meta to notify the 100 million or so EU-based Facebook users whose information was exposed and subsequently posted to online forums via the data-scraping of Facebook users carried out by unknown “malicious actors”. Instead Meta could pay a fine representing a tiny fraction of its revenue to make the matter go away.
The unknown entity/entities involved in the breach were able to obtain data on Facebook users by using a contact importer feature the platform had offered up to September 2019. The design of this feature was insecure in that it allowed large sets of phone numbers to be uploaded — enabling malicious actors to find phone numbers that matched Facebook profiles and, via this method, collate a massive data-set on individuals that included (in the majority of cases) phone numbers, names, genders and Facebook IDs that was later found exposed online.
Data-sets containing linked names and phone numbers plus social media profile information offer what DRI calls a “treasure trove” for fraudsters to target people — such as via phishing and social engineering techniques.
The total number of affected Facebook users globally is estimated to number around 533M — so the EU component of this data-scraping breach is also just the tip of the iceberg.
Following media reports of the data-scraping breach last year, DRI complained to the DPC on behalf of two data subjects whose information had been exposed — which led on to the DPC opening an own volition enquiry in April 2021. And in an update letter sent by the DPC to DRI in December, which has been shared with TechCrunch, the regulator writes:
The facts of this case, as established by the DPC, led to a conclusion that the data was not collated arising from exposure as a result of a security vulnerability falling for examination under Article 32 GDPR, but rather arose as a result of the very design of the relevant features of the platforms. Accordingly, as security was not infringed, there was no personal data breach within the definition of Article 4(12) and for that reason Article 34 was therefore not applicable.Advertisement
In the letter the DPC also asserts that: “The configuration of the Meta systems permitted such scraping to occur at the material time and this was the basis upon which the DPC found an infringement of Article 25.”
So, essentially, the Irish regulator’s finding asserts that the Facebook data scraping breach occurred because of the design of Meta’s systems being insecure — yet, simultaneously, declines to find that users’ data was exposed because of a security vulnerability. Therefore it finds no infringement of the security of processing as defined by the GDPR — so no personal data breach, under the regulation and, consequently, no need for the tech giant to consider whether it should inform affected users that it lost of their personal data.
Although we understand a final outcome letter from the DPC to the DRI is due to be sent this month — so the regulator hasn’t yet provided its last word on the latter’s complaint (but, per the decision it made in November on its own volition enquiry, it’s safe to assume the substance isn’t going to be different).
Despite Meta being fined a couple of hundred million over this data-scraping breach it arguably dodged a far bigger bullet here — since it has not had to inform the circa 100M EU-based users that it breached their security and exposed their data. And for a company which made over $33.6B in 2021 alone, by mining people’s data to sell their attention to advertisers, a fine of $275M is the proverbial ‘parking ticket’/cost of doing business — which can be written off as a business expense.
Whereas reputational damage, which has the potential to drive users away and so reduce engagement with Meta’s services, poses a far more meaningful threat to its attention-sapping business model.
Conveniently for Meta, the tech giant has so far been able to contain the damage over this massive data-scraping episode to a few media reports — and to some reporting of the fine itself — instead of having to communicate with every single one of the users personally affected by having their information scraped and exposed online.
Although it is appealing the DPC’s enforcement, regardless.
Discussing the DRI’s lawsuit, which is being lodged in the Circuit Court in Ireland — and targets Meta and the DPC both with the claim that “justice has been denied” to victims of the data breach — its chair, Dr TJ McIntyre, told TechCrunch: “The data breach point is just one part of a wider complaint that they didn’t make an adequate decision overall with regard to our complainants. The central argument with regard to a security breach is that it makes no sense to say that there’s a notifiable breach if somebody picks the lock but not if you don’t bother locking the door to begin with; i.e. a failure to apply security is a breach, not merely inadequate security.”
“Whether it is a notifiable data breach is in one sense relatively unimportant — it doesn’t affect the fact that there was a violation of duty. However a finding on this point would be helpful in establishing liability towards the individuals affected,” he added.
Meta and the DPC were contacted for comment on DRI’s lawsuit.
A spokesperson for Meta declined to comment. But we understand the company has yet to receive any filings or legal papers regarding the DRI’s case.
The DPC’s deputy commissioner, Graham Doyle, sent the following statement:
“It will be appreciated that we cannot comment on the substance of matters that are now before the courts. For information, however, you may wish to note that a decision has not actually been made yet by the DPC in relation to this complaint. It is acknowledged that DRI takes a different view on this point.”
The DPC continues to attract criticism over its approach to enforcing GDPR against tech giants and the DRI’s lawsuit joins a variety of legal actions and accusations fired at it since the regulation came into application — which run the gamut from complainants about time wasting and wasted resources to narrowly scoped or simply non-existent (i.e. never opened) enquiries following complaints, to legal challenges accusing it of inaction and even alleging criminal corruption.
It routinely defends itself — arguing its dealing with a large workload that often involves complex cases that require full attention to due process to minimize the risk of decisions being overturned on appeal.
Depending on what happens with this latest legal challenge over the Facebook data-scraping breach the lawsuit could have wider significance beyond Meta itself — in relation to other GDPR complaints being decided by the DPC that hinge on whether there’s a breach of security — such as a major complaint against Google’s role in real-time bidding (which, more broadly, implicates the third party tracking ad industry as a whole) that the DPC has been formally considering since May 2019 but still hasn’t decided or enforced.
Last year, complainants in that case sued the Irish regulator for inaction over what they’ve dubbed “the largest data breach ever”.
It remains to be seen what the DPC will decide on that (separate) GDPR complaint. But the wider point here is there could be a risk of a GDPR enforcement loophole if sloppily designed systems that are insecure by design — accidentally or even, potentially, cynically and systematically — are allowed to provide a route for data processors to avoid broader security breach liability under the GDPR.
There is also an interesting comparison to be drawn with the Cambridge Analytica Facebook data scandal, which made global headlines back in 2018 — and which Facebook has always strenuously denied represented a breach of user data. Yet it was, similarly, an insecure design — in that case of its developer platform — that led to data on hundreds of millions of users being extracted from Facebook without the knowledge or consent of the vast majority of the affected users in that earlier event.
The “rogue” actor Facebook accused of perpetrating the Cambridge Analytica data heist was an app developer who had agreed to its developer T&Cs.
And the company was accused in 2018 by the developer, Aleksandr Kogan, of not really having T&Cs as a result of the company not taking actions to ensure its terms were actively being enforced.
That major global data scandal predated the application of the GDPR — but it’s interesting to speculate what kind of enforcement Facebook would have faced had the episode fallen under the EU regulation. And whether or not Ireland’s DPC would have deemed Cambridge Analytica a security breach or just another failure of data protection by design.