Irish Regulator Investigates Facebook Over ‘Data Leak’

Facebook is once again in the crosshairs of a national regulator, after the Irish Data Protection Commission (DPC) said it believes the firm may have breached one or more laws.

The Irish DPC announced on Wednesday that it has “launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet.”

Last week it was reported that a massive data set on about 533 million Facebook users was posted on a hacker forum.

That data dump was believed to originated from an issue that occurred in early 2019, which Facebook said it fixed in August of that year.

Irish investigation

Facebook insisted the breach was old data, but the Irish Data Protection Commissioner (DPC) deputy commissioner Graham Doyle last week said it was examining the matter to determine if it involved 2019 data.

And now on Wednesday the Irish DPC said it will begin an official investigation “in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.”

“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data,” it announced.

“Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect,” it said.

Facebook co-operation

Facebook has been quoted in the media as saying it is “cooperating fully” with the regulator, adding that the leak in question “relates to features that make it easier for people to find and connect with friends on our services.”

“These features are common to many apps and we look forward to explaining them and the protections we have put in place,” a Facebook spokesperson told CNBC via email.

The Irish DPC is taking the lead, because Facebook’s European headquarters are located in Dublin.

It’s unclear how long the investigation will last, but if the investigation goes against the social networking giant, a fine has the potential to be very expensive indeed.

Under GDPR rules firms can be fined either 20 million euros ($24 million) or up to 4 percent of their annual revenues, whichever is the greater amount.