Digital Rights Ireland takes DPC to Court Over Facebook’s 530 Million Users’ Data Leak

Digital Rights Ireland goes to court over Data Protection Commission’s decision regarding Facebook’s responsibility for its 530 million user data leak.

10 January, Dublin – Digital Rights Ireland is appealing against the Irish Data Protection Commission’s decision that the leaking of over 110 million EU-based Facebook users’ details was “not a data breach within the definition of Article 4(12)” of the GDPR to the Irish Circuit Court.

This finding was the outcome of a complaint by Digital Rights Ireland which was lodged when 530 million users’ private data from Facebook appeared on the Internet. Digital Rights Ireland filed a complaint on behalf of some of the 100 million European victims of the breach, whose data was left publicly accessible by Facebook. The DPC confirmed that Facebook had violated several principles of the GDPR by allowing the data to be scraped, but did not accept that this was a data breach which must be notified to the individual victims.

“Facebook left the doors unlocked, but the DPC’s decision effectively means that Facebook isn’t responsible to individuals whose data was stolen. It denies that there has been any data breach for the actual victims of this failure, and means that they do not have to be notified of the breach,” said Chair of Digital Rights Ireland, Dr. TJ McIntyre.

Digital Rights Ireland argues that the DPC has denied justice to victims by refusing to declare that there was a data breach or that the leak of the data was unlawful. Further, Digital Rights Ireland accuses the Irish Data Protection Commission of operating an unfair procedure to the benefit of Facebook (which has since changed its name to Meta) in dealing with DRI’s complaint.

“The Data Protection Commission’s decision is untenable,” said Dr. McIntyre. “Over 100 million Europeans’ data is still downloadable on the web today because of Facebook leaking private, personal data: real names, mobile phone numbers, date of births, and emails – a potential treasure trove for fraudsters. That’s personal data under the GDPR, acquired due to Facebook’s wrongdoing, which still exposes the affected data subjects to a range of risks.

According to the DPC’s Inquiry, ‘these risks include spamming, scamming, phishing and smishing. Facebooks’ own internal report highlighted the dangers of stalkers and burglars as a result of the disclosure of location information.

The victims of the breach say that they are still faced with the consequences of the breach. “My number and email were leaked in the breach, and I’ve been inundated with scam calls and phishing attempts regularly ever since,” said Sabrina Dent, who has been a Facebook user for over a decade and is one of the 100 million victims of the breach in the European Union.

Note to Editors:

A timeline of events is available at bottom; please scroll down.

# # #

About Digital Rights Ireland

Digital Rights Ireland (DRI) is dedicated to defending civil, human and legal rights in the digital age. DRI focuses on mounting legal challenges, educating legislators, and public campaigning. Previous successful legal challenges include the overturning of the EU Data Retention Directive and complaints leading to many elements of the Public Services Card being found illegal.

AVAILABLE FOR COMMENT:

Dr TJ McIntyre is Chairperson of Digital Rights Ireland and an Associate Professor at the Sutherland School of Law, University College Dublin. From 2010-2022 he was the Irish national expert on information society and data protection issues for the EU Fundamental Rights Agency research network.

CONTACT:

Antoin O’Lachtnain
Director, Digital Rights Ireland
+353 87 240 6691
press@digitalrights.ie

 

Timeline of Events

  • Approx. August 2018 – A large amount of private customer data is harvested from the Facebook website, using their offered tools.
  • March 2021 – This data dump appears on the open Internet. It contains private details of hundreds of millions of Facebook users.
  • April 2021 – DRI filed a complaint with the DPC on behalf of two Irish residents among the 100M+ EU data subjects whose Facebook data was leaked onto the Dark Web in or around August 2018.
  • July 2021 – DPC acknowledges the DRI complaint. According to the acknowledgement letter, the DPC elected to sidestep DRI’s complaint on behalf of victims and opened an ‘own-volition’ inquiry. The DRI complaint on behalf of victims would only be dealt with when this inquiry was complete.
  • October 2021 – Facebook changes its name to ‘Meta’ (though Facebook website continues under old name.)
  • October 2022 – DPC informs DRI that it has produced a draft decision in relation to its ‘own volition’ inquiry. It refuses to share this draft report, in spite of the bearing it is likely to have on the DRI complaint on behalf of victims.
  • November 2022 – DPC releases decision of its own-volition inquiry. It published a detailed report of its inquiry which found what appears to be clear evidence of a data breach. (https://www.reuters.com/technology/irish-regulator-fines-facebook-265-mln-euros-over-privacy-breach-2022-11-28/) The decision provided for two large fines for Facebook’s poor implementation of privacy protections that are required under GDPR.
  • December 2022 – DPC informs DRI of its decision in relation to the DRI complaint on behalf of victims. DPC rejected DRI’s complaint. It said that DPC had found that there was no actual data breach within the meaning of GDPR and accordingly rejected the complaint on behalf of victims.
  • January 2023 – DRI announces that it is suing DPC and Facebook over this finding.

Available on request:

  • Letter from DPC to Digital Rights Ireland
  • Digital Rights Ireland Complaint to DPC

Other important documentation:

DPC’s report ‘Inquiry concerning Meta Dataset