Facebook is to be sued in Europe over major leaks of user data dating back to 2019, but which was recently posted for free download on a hacker forum following information from 533M + accounts.
Today Digital Rights Ireland (DRI) has announced it is taking “collective action” to sue Facebook, citing the right to monetary compensation for personal data breaches set out in the European Union’s General Data Protection Regulation (GDPR). Is starting
Article 82 of the GDPR provides for the ‘right to compensation and liability’ for those affected by the violation of the law. Since the regulation came into force, in May 2018, related civil litigation has been increasing in the region.
The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check if their data was broken – via the HeavyBinPowered website (which will send you an email address or mobile number Lets check) – and to sign up if so join the case.
Information leaked through the breach includes Facebook ID, location, mobile phone number, email address, relationship status, and employer.
Facebook has been contacted to comment on the litigation.
The tech giant’s European headquarters are based in Ireland – and earlier this week the National Data Sentinel opened an investigation under the European Union and Irish data protection laws.
A mechanism in the GDPR to simplify the investigation of cross-border cases means that Ireland’s Data Protection Commission (DPC) is Facebook’s principal data regulator in the European Union. However it has been criticized for its approach and approach to GDPR complaints and investigations – taking time to decide on major cross-border cases. And this is especially true for Facebook.
With the completion of three years of GDPR, the DPC has several open investigations into various aspects of Facebook’s business, but not a single decision has been issued against the company yet.
(The closest it has come is a preliminary suspension order issued last year in relation to Facebook’s US data transfer from the European Union. However, the complaint that predates the long-term GDPR, and Facebook immediately via the courts Has been filed to block the order from. A resolution is expected later this filed its own judicial review of the DPC’s procedures after the trial).
Since May 2018, the European Union’s data protection regime has imposed fines of up to 4% of the company’s global annual turnover – at least on paper – for the most serious breach.
Nevertheless, the only GDPR penalty issued to date by the DPC against a tech giant (Twitter) is far from that theoretical maximum. Last December, the regulator announced a € 450k (~ $ 547k) approval against Twitter – about 0.1% of the company’s full-year revenue.
The fine was also for a data breach – but one that, contrary to Facebook leaks, Was It was revealed publicly when Twitter found it in 2019. Hence Facebook’s failure to disclose the vulnerability discovered by Facebook and claims to have it fixed by September 2019, which has now led to the leakage of 533M accounts, it suggests needed Withstand higher acceptance than Twitter received from DPC.
However, even if Facebook ends up with a more substantial GDPR penalty for this monitored Casselad backlog and makes it difficult to envisage a faster resolution to plod the procedural momentum that is only a few days old.
Given past demonstrations that this will happen before the DPC decides on the 2019 Facebook leak – which explains why the DRI sees value in instigating class-action style lawsuits parallel to the regulatory investigation.
“Compensation is not the only thing that makes this collective action worth engaging. It is important to send a message to big data controllers that they should follow the law and if it does not, they have a cost.
It also made a complaint to the DPC earlier this month about Facebook’s breach, then wrote that it was “consulting with its legal advisors on other options, including a collective action for damages in Irish courts”.
It is clear that the GDPR enforcement gap is creating a huge opportunity for litigation to step into Europe and sue for data-related compensation losses – along with a number of other collective actions announced last year.
In the case of DRI, its focus is clearly on seeking to ensure that digital rights are upheld. But it told RTE that it considers indemnity claims that force tech giants to pay money to users whose privacy rights have been violated, the best way to legally complain to them.
Meanwhile, Facebook has sought to play the breech that it failed to reveal in 2019 – claiming that it is ‘old data’ – a deflection that ignores the fact that people’s birth dates do not change. Nor do most people change their mobile number or email address).
Filled with ‘old’ data exposed in this latest massive Facebook leak, it will be much easier for spammers and fraudsters to target Facebook users – and now also to target Facebook for data-related losses.