Following last week’s revelations about a security defect which enabled hackers to access the accounts of over 50 million Facebook users, the social media giant now faces potential fines of up to $1.6bn.
The situation is now in the hands of the Irish Data Protection Commission, (IDPC) the regulatory authority for Facebook’s European subsidiary which is based in Ireland. A full investigation may now be opened by the Irish watchdog into the social network’s latest data bungle.
The worst-case scenario would be a $1.63bn fine for Facebook in yet another high-profile security scandal. This is the largest hack the US company has ever experienced and will only create more question marks over the firm’s capacity to meet the online security safeguards that users need in today’s digitised world.
Around five million of the affected accounts are owned by EU citizens, but the Irish regulatory body is delaying its response in order to maximise knowledge of the situation so it can gauge the scope of a prospective probe.
A spokesperson for the Irish DPC said on the CNBC website:
“We would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps.”
Facebook remained silent on the issue but announced its cooperation with the regulators in a tweet.
A test for Europe’s regulators
While Facebook divulged knowledge of the data breach within the 72-hour time limit stipulated by the GDPR, the problem is the highest-profile to data that regulatory authorities have had to deal with since the new legislation went live on May 25th of this year.
Much focus has fallen on the GDPR’s hard-hitting levy of 4% of global annual turnover for the most serious data breaches, which could lead to Facebook forking out around $1.63bn in light of its $40.65 revenue made in 2017. However, the social network’s timely notification of the events of last week will act as a mitigating factor in punishments meted out.
Speaking on the CNBC website, Vera Jourova, the EU’s justice commissioners, said:
“I think Europe is [well]-equipped with GDPR because we have very strict rules and we have very strong instrument to discipline the companies which handle private data of people.
“It’s now down to the Irish Data Protection Commission to act and they are intensely working on the case. I am in close contact with the enforcers.
“In the wider context, our data protection authorities in all member states have hard work now in applying the GDPR in full and they are doing their risk assessments regarding different companies. Of course, the highest risk is in the case of the companies processing private data in vast quantities.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/