HomeBlogFacebook: “Sorry this happened.” New Data Breach Prompts EU Inquiry
Facebook: “Sorry this happened.” New Data Breach Prompts EU Inquiry
Dec 2018

Facebook: “Sorry this happened.” New Data Breach Prompts EU Inquiry

In yet another revelation about Facebook privacy breaches, the company recently announced that a “bug” exposed up to 6.8 million people’s private photos. Three months ago.

The company said that for 12 days in September, third-party app developers got access to:

  • Photos people did not share publicly.
  • Images that users started to upload to Facebook but decided not to post – as Facebook holds pending posts for three days.
  • Visuals posted to Facebook Stories or Facebook Marketplace.

Certain third-party apps may have had access to more images that would normally be accessible to them, wrote Tomer Bar, explaining the issue in a December 14 blog entry.

This may have involved 1,500 apps, designed by hundreds of developers. Bar wrote that the social media company is “sorry” it happened.

Why the Wait?

Facebook, pressed by CNN news reporters, said the company put off making the breach public because:

  • The company wanted to first investigate the matter and understand its impact.
  • The company wanted to contact the right developers and identify the affected users.
  • The company wanted to take “some time to build a meaningful way to notify people” and to have notifications translated.

After learning of the breach, Facebook took nearly two months to tell data protection authorities and another month to tell the public. This, although EU General Data Protection Regulation 2016/679 (GDPR) requires notification within three days to protect the privacy rights of people in the EU and the European Economic Area.

Statutory Inquiry

The authority that oversees Facebook’s compliance with EU regulations is the Irish Data Protection Commission. The body has opened a statutory inquiry into Facebook over multiple recent breaches, and compliance issues concerning applicable GDPR rules.

But will the Commission insist that the GDPR’s three-day rule be taken seriously? Or will this case end up suggesting that tech giants themselves can decide when to report breaches – if at all?

Featured Webcast: What’s New in Privacy 2018: The CCPA and Other Privacy Implications For Emerging Technologies

Date & Time: Wednesday, January 09, 2019 at 3:00 pm – 4:00 pm (ET) and available on-demand

Continuing Education Credit: 1 CLE



    You may also like


    Notify of

    Ultimate Value Annual Program

    Bring a colleague for only $149, a savings of $50 per additional attendee.

    • Unlimited Access to Live & Recorded Webcasts
    • Instant Access to Course Materials
    • And More!