Hope all of your exam seasons are going well so far! Found an article (link at the bottom) that details some of the recent news concerning the latest Facebook data breach from a couple weeks ago , and more specifically how it relates to the company’s GDPR (non) compliance. While the breach occurred at/extended into a time when the GDPR was fully active, Facebook made no disclosure of the incident to the Irish Data Protection Commission, which recently opened an investigation into the leak. As I mentioned in my presentation, the GDPR includes data breach notification requirements under which data controllers must notify the relevant regulatory authorities if they believe it is likely to constitute a risk to users’ rights and freedoms (and must do so without undue delay).
Knowing that a breach entails these legal obligations, Facebook has avoided describing the incident as such, and has downplayed the significance of the leaked information by essentially attempting to shift some of the blame to users for leaving Facebook’s default privacy settings in place, thereby making the leaked information “publicly available” in the first place and thus uncovered by the GDPR. However, even if this is true (article implies that it might not be), the GDPR still requires controllers to apply privacy by design and to adequately secure personal data; Facebook’s compliance with both of these requirements seems pretty questionable here. This article and situation raise pretty big questions about how Facebook needs to deal with incidents like this in the future, which seem inevitable due to Facebook’s demonstrated approach to privacy and GDPR compliance.
Facebook’s tardy disclosure of breach timing raises GDPR compliance questions