The Irish Data Protection Commission (DPC) is looking into another possible General Data Protection Regulation Breach by Facebook following the social media company revealing that a ‘glitch’ may have exposed unposted photos of almost 6.8 million users.
The DPC will carry out a review in line with the GDPR legislation which was introduced by the European Union on May 25 this year. The data protection legislation was designed to allocate data regulators with wide-reaching powers to sanction firms who neglect to adequately safeguard personal data. Corporations can face penalties of up to €20m or 4% of their annual global turnover if they do not comply, whichever figure is higher. If a fine such as this was applied to Facebook it could up to €1.4 billion based on its 2017 annual revenue of €35.2 billion.
The Irish DPC has primary European jurisdiction over Facebook as it European headquarters is based in Dublin. Head of Communications for the DPC Graham Doyle stated: “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”
Facebook published a statement last Friday which said that logging in to their platform and granting permission to third-party applications to access photos may have lead to the unintended breach between September 13 and 25.
Facebook Engineering Director Tomer Bar said in a message sent to application developers: “When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”
This is the most recent in, what has been, an unwelcoming 2018 for Facebook in relation to data privacy investigation. A similar investigation was kicked off in October after it was discovered that up to 50 million user accounts could have been exposed in a Facebook data breach.