Digital rights group to sue DPC over Facebook data leak decision
Ireland’s privacy watchdog is facing a court battle over its “untenable” decision that a Facebook data leak did not amount to a data breach.
The Data Protection Commission (DPC) last year imposed a €265 million fine on Meta Platforms Ireland Limited (MPIL) following its investigation into the discovery of a collated dataset of Facebook personal data which had been made available on the internet.
The dataset included the full names, phone numbers, locations and birthdates of more than 530 million people who used Facebook from 2018 to 2019.
Digital Rights Ireland (DRI) filed a complaint with the DPC in April 2021 on behalf of two Irish residents who were among over 110 million EU-based Facebook users whose data was included in the leaked dataset.
The DPC carried out an own-volition inquiry into the leak and concluded that Facebook had violated several principles of the GDPR by allowing the data to be scraped, but did not accept that this was a data breach which must be notified to the individual victims.
DRI is now appealing the DPC’s decision to the Irish Circuit Court.
Dr TJ McIntyre, chair of Digital Rights Ireland, said: “Facebook left the doors unlocked, but the DPC’s decision effectively means that Facebook isn’t responsible to individuals whose data was stolen. It denies that there has been any data breach for the actual victims of this failure, and means that they do not have to be notified of the breach.”
DRI argues that the DPC has denied justice to victims by refusing to declare that there was a data breach or that the leak of the data was unlawful, and accuses the DPC of operating an unfair procedure to the benefit of Meta in dealing with DRI’s complaint.
“The Data Protection Commission’s decision is untenable,” said Dr McIntyre.
“Over 100 million Europeans’ data is still downloadable on the web today because of Facebook leaking private, personal data: real names, mobile phone numbers, date of births, and emails — a potential treasure trove for fraudsters.
“That’s personal data under the GDPR, acquired due to Facebook’s wrongdoing, which still exposes the affected data subjects to a range of risks.”