Facebook: “Sorry this happened.” New Data Breach Prompts EU Inquiry

by: The Knowledge Group

December 17, 2018


In yet another revelation about Facebook privacy breaches, the company recently announced that a “bug” exposed up to 6.8 million people’s private photos. Three months ago.

The company said that for 12 days in September, third-party app developers got access to:

  • Photos people did not share publicly.
  • Images that users started to upload to Facebook but decided not to post – as Facebook holds pending posts for three days.
  • Visuals posted to Facebook Stories or Facebook Marketplace.

Certain third-party apps may have had access to more images that would normally be accessible to them, wrote Tomer Bar, explaining the issue in a December 14 blog entry.

This may have involved 1,500 apps, designed by hundreds of developers. Bar wrote that the social media company is “sorry” it happened.

Why the Wait?

Facebook, pressed by CNN news reporters, said the company put off making the breach public because:

  • The company wanted to first investigate the matter and understand its impact.
  • The company wanted to contact the right developers and identify the affected users.
  • The company wanted to take “some time to build a meaningful way to notify people” and to have notifications translated.

After learning of the breach, Facebook took nearly two months to tell data protection authorities and another month to tell the public. This, although EU General Data Protection Regulation 2016/679 (GDPR) requires notification within three days to protect the privacy rights of people in the EU and the European Economic Area.

Statutory Inquiry

The authority that oversees Facebook’s compliance with EU regulations is the Irish Data Protection Commission. The body has opened a statutory inquiry into Facebook over multiple recent breaches, and compliance issues concerning applicable GDPR rules.

But will the Commission insist that the GDPR’s three-day rule be taken seriously? Or will this case end up suggesting that tech giants themselves can decide when to report breaches – if at all?

Featured Webcast: What’s New in Privacy 2018: The CCPA and Other Privacy Implications For Emerging Technologies

Date & Time: Wednesday, January 09, 2019 at 3:00 pm – 4:00 pm (ET) and available on-demand

Continuing Education Credit: 1 CLE