Irelands data protection authority is expected to launch a formal investigation into the Facebook data breach affecting 90 million people worldwide, the first major test of Europes new data protection rules, according to a person with direct knowledge of the matter.
The inquiry marks the latest setback for the social networking giant, which has been plagued by scandal over the last two years ranging from the use of its platform by Russian-backed actors during the U.S. presidential election in 2016 to the Cambridge Analytica data breach.
It also comes as European regulators start to flex their muscles under the regions beefed-up privacy standards, known as the General Data Protection Regulation, or GDPR, which include fines of up to 4 percent of a companys global revenues if it mishandles Europeans digital information.
While Facebook is unlikely to be slapped with such hefty sanctions, the company could face a fine of up to €1.4 billion — potentially the largest ever privacy fine worldwide — if it is found to have broken Europes data protection rules.
“This is the first big case for GDPR,” Věra Jourová, the European justice commissioner, told reporters Tuesday.
[The] worst is that Facebook has no way of seeing what was done” — Paul-Olivier Dehaye, Belgian privacy researcher
The formal investigation will be opened in the next 48 hours, according to a person close to the data protection authority. As part of the inquiry, Irelands data protection commissioner will focus on whether the American tech giant mishandled peoples data in a way that led to a hacker being able to access the online profiles of millions of Facebook users, including that of Mark Zuckerberg, the companys chief executive.
“This new enforcement tool is long overdue,” Helen Dixon, Irelands data protection regulator, told POLITICO earlier this year ahead of the start of Europes new privacy standards. “Theres been a massive increase in awareness of data protection laws.”
A spokesman for the Irish authority declined to comment on any potential fines linked to the upcoming Facebook investigation.
Facebooks first public estimation was that 50 million profiles had been affected in the breach. The company revealed on Friday that hackers were able to exploit a technical vulnerability on the social network to take over peoples accounts, as well as to access other digital services like Spotify and Airbnb that allow people to rely on their Facebook log-in to use those services.
Facebook CEO Mark Zuckerberg testified before committees of U.S. Congress and Senate in April 2018 over privacy concerns | Saul Loeb/AFP via Getty Images
“Many more people potentially have been hacked,” said Paul-Olivier Dehaye, a Belgian privacy researcher who has challenged Facebooks privacy practices in the past. “And the worst is that Facebook has no way of seeing what was done.”
The Irish regulator is in charge of the region-wide investigation into the Facebook data breach because the companys international headquarters are located in Dublin, where it can take advantage of the countrys low corporate tax regime. The agency said that less than 10 percent of the 50 million people directly affected by the data breach have European accounts. Facebook is expected to provide more detail on the other 90 percent of its affected users as early as Wednesday.
Facebook said a further 40 million individuals also had their accounts reset as a precaution. “We face constant attacks from people who want to take over accounts or steal information around the world,” Zuckerberg wrote on his Facebook page.
Facebooks privacy woes
Policymakers on both sides of the Atlantic are ratcheting up their rhetoric about how Facebook and other Silicon Valley giants use peoples digital information.
In Washington, U.S. lawmakers are holding a series of hearings about overhauling the nations data protection rules after California passed its own legislation to give people a greater say over how their data is used.
Facebook “is making incredible [amounts of] money from using our privacy as a commodity” — Věra Jourová, European justice commissioner
Much of the focus, though, has centered on Europes new standards, which are fast becoming the de facto global standard as countries from Japan to Brazil borrow heavily from the regions rule book.
Yet while EU officials have been quick to promote the new data protection rules, this most recent Facebook data breach represents a landmark moment in the regions stance toward digital privacy, according to legal experts.
Facebook “is making incredible [amounts of] money from using our privacy as a commodity,” said Jourová. “So I would expect them to manage it better and take all the necessary measures to mitigate the damage.”
Many of the regions regulators remain relatively understaffed and under-resourced, raising questions on whether they have the regulatory muscle to take on a company whose revenues and legal clout significantly dwarf their own.
Others question if EU agencies — notably that of Ireland, a country highly dependent on U.S. tech companies for local employment — are willing to take on difficult cases that will likely be fought out for years in the regions courts.
But Dixon, the Irish chief regulator, “is no pushover,” said Johnny Ryan, a Dublin-based privacy advocate who works for the privacy-friendly browser Brave and has filed cases to the data watchdog in the past.
“I do think shes independent from the government,” he said. “The issue isnt Facebook jobs in Dublin.”