Toronto Star

Facebook faces EU privacy probe under beefed-up data law

Hackers exploited software bugs to obtain access to as many as 50 million accounts

- STEPHANIE BODONI BLOOMBERG

Facebook Inc. has become the first big test case for the European Union’s beefed-up privacy rules as Ireland’s data watchdog opened a probe into a security breach announced last week that affected as many as 50 million accounts.

Ireland’s data protection authority on Wednesday said it has started investigat­ing whether Facebook had “appropriat­e technical and organizati­onal measures” in place to protect its users’ personal data. While not the first European probe into Facebook, it’s the first under the EU’s new data rules, which could lead to fines of as much as 4 per cent of a company’s annual sales.

Facebook informed the Irish authority “that their internal investigat­ion is continuing and that the company continues to take remedial actions to mitigate the potential risk to users,” the regulator said in a tweet, as it announced its probe. Facebook said in a statement that it’s in close contact with the regulator and “will continue to cooperate with their investigat­ion.”

The breach adds more pressure to the U.S. social-media giant, which is still reeling from the separate scandal this year stemming from the revelation that data belonging to as many as 87 million Facebook users and their friends may have been misused by a political consultanc­y that helped get U.S. President Donald Trump elected. That breach was called a game changer in the world of privacy as it happened shortly before the EU’s new law, called General Data Protection Regulation (GDPR), took effect across the 28-nation bloc on May 25.

EU Justice Commission­er Vera Jourova, who pushed through GDPR, tweeted on Wednesday that she had spoken to the Irish privacy commission­er, Helen Dixon, to welcome the probe and give “my full support in getting to the bottom of this story.”

Jourova told reporters in Luxembourg this week that the latest Facebook breach is the “first big test case” for GDPR.

The EU’s top privacy official, Andrea Jelinek, who chairs the group of privacy commission­ers from across the bloc, said in a tweet on Thursday that “all board members stand ready to engage in mutual assistance if needed.” Facebook disclosed the breach a week ago, saying it had by now solved the vulnerabil­ity. It appeared that a hacker — or hackers — exploited several software bugs at once to obtain login access to as many as 50 million accounts. That access let the intruder act like users on their profiles, or on any applicatio­ns where they signed in using Facebook.

Regulators under the old regime lacked the teeth they needed to levy fines that could really bite.

The U.K. watchdog, which has been probing the Cambridge Analytica scandal, said in July Facebook could face a fine of as much as £500,000 ($841,000) over its failures to prevent a breach. That’s the maximum penalty the regulator could levy before, and this still applies for any violations that happened before GDPR took effect on May 25.

The U.S. Federal Trade Commission’s chairman has signalled that his staff is also looking into the recent breach.

?? RICHARD DREW THE ASSOCIATED PRESS FILE PHOTO ?? The Irish Data Protection Commission will look into whether Facebook complied with European data protection regulation­s.
RICHARD DREW THE ASSOCIATED PRESS FILE PHOTO The Irish Data Protection Commission will look into whether Facebook complied with European data protection regulation­s.

Newspapers in English

Newspapers from Canada