Facebook data-scraping breach triggers GDPR enforcement lawsuit in Ireland

Facebook-owner Meta and its lead data protection regulator in the European Union, the Irish Data Protection Commission (DPC), are facing an interesting legal challenge over a major data-scraping breach that led to a €265 million penalty for Facebook last year under the bloc’s General Data Protection Regulation (GDPR).

The legal action, reported earlier by the Irish Examiner, is being brought by the digital rights group, Digital Rights Ireland (DRI) — which raised a complaint about the breach on behalf of two affected individuals and is unhappy about the finding by the Irish regulator that no security breach occurred.

Instead, in a final decision of November 25 2022 on an own volition enquiry the DPC opened in response to the incident, it found a breach by Meta of the GDPR’s requirement for data protection by design and default. Hence levying a fine.

However the lack of a finding by the DPC of a breach of the security of processing (aka Article 32 of the GDPR) meant there was no requirement for Meta to notify the 100 million or so EU-based Facebook users whose information was exposed and subsequently posted to online forums via the data-scraping of Facebook users carried out by unknown “malicious actors”. Instead Meta could pay a fine representing a tiny fraction of its revenue to make the matter go away.

A finding of an administrative breach of GDPR — rather than a security breach, which would identify Facebook as liable to the individuals whose personal data was exposed — also looks relatively convenient for the tech giant when it comes to potential liability over the episode given affected individuals could pursue class-action style litigation for damages.

Such mass legal actions have been on the uptick in the region in recent years — and are set to be bolstered this year as enforcement of the EU’s Collective Redress Directive begins. And had the DPC’s decision acknowledged a security breach it would have simplified such litigation in this case. However the regulator’s decision avoided doing that.  

The unknown entity/entities involved in the breach were able to obtain data on Facebook users by using a contact importer feature the platform had offered up to September 2019. The design of this feature was insecure in that it allowed large sets of phone numbers to be uploaded — enabling malicious actors to find phone numbers that matched Facebook profiles and, via this method, collate a massive data-set on individuals that included (in the majority of cases) phone numbers, names, genders and Facebook IDs that was later found exposed online.

Data-sets containing linked names and phone numbers plus social media profile information offer what DRI calls a “treasure trove” for fraudsters to target people — such as via phishing and social engineering techniques.

The total number of affected Facebook users globally is estimated to number around 533M — so the EU component of this data-scraping breach is also just the tip of the iceberg.

Following media reports of the data-scraping breach last year, DRI complained to the DPC on behalf of two data subjects whose information had been exposed — which led on to the DPC opening an own volition enquiry in April 2021. And in an update sent by the DPC to DRI in December, which has been shared with TechCrunch, the regulator writes:

The facts of this case, as established by the DPC, led to a conclusion that the data was not collated arising from exposure as a result of a security vulnerability falling for examination under Article 32 GDPR, but rather arose as a result of the very design of the relevant features of the platforms. Accordingly, as security was not infringed, there was no personal data breach within the definition of Article 4(12) and for that reason Article 34 was therefore not applicable.

In the letter, the DPC also asserts that: “The configuration of the Meta systems permitted such scraping to occur at the material time and this was the basis upon which the DPC found an infringement of Article 25.”

So, essentially, the Irish regulator’s finding asserts that the Facebook data scraping breach occurred because of the design of Meta’s systems being insecure — yet, simultaneously, declines to find that users’ data was exposed because of a security vulnerability. Therefore it finds no infringement of the security of processing as defined by the GDPR — so no personal data breach, under the regulation and, consequently, no direct liability link to individuals for exposing their information and no need for the tech giant to consider whether it should inform affected users of a security breach.

We understand a final outcome letter from the DPC to the DRI is due to be sent this month — as the regulator says it hasn’t yet provided its last word on the latter’s complaint (but, per the decision it made in November on its own volition enquiry, it’s safe to assume the substance isn’t going to be different).

Update: The DRI has responded to refute the DPC’s claim that it has not yet taken a decision on the complaint — pointing out that the letter it received from the regulator last month stated its findings in a paragraph entitled “Your complaint”; and finished with a paragraph entitled “Conclusion” that referred to “the DPC’s decision on this matter”.

Here’s the concluding chunk of the letter:

The DPC would like to thank you for lodging your complaint. We hope that the DPC’s decision on this matter and the exercising of corrective powers, including the imposition of substantial administrative fines which are deemed to be “effective, proportionate and dissuasive” and reflective of the nature and extent of the infringements involved help to bring a satisfactory closure to this matter.

“Digital Rights Ireland utterly refutes the DPC’s assertion that “a decision has not actually been made yet by the DPC in relation to this complaint,” a spokesman told us.

Referring to the DPC’s letter, he added: “We see no ambiguity there. This letter states the DPC’s findings in the paragraph ‘Your complaint’. The last sentence signals that the letter is intended to close the matter. If this isn’t a decision, we don’t know how we’d be supposed to recognize one.

“The idea that this letter did not represent a decision only became the DPC´s position when the DPC found out they were being sued.”

Despite Meta being fined a couple of hundred million over this data-scraping breach it arguably dodged a far bigger bullet here — since it has not had to inform the circa 100M EU-based users that it breached their security and exposed their data. (While litigation for damages on a pool of some hundred million affected users could get considerably more expensive if successful.)

One thing is clear: For a company which made over $33.6B in 2021 alone by mining people’s data to sell their attention to advertisers, a fine of $275M is the proverbial ‘parking ticket’/cost of doing business — which can be written off as a business expense.

Whereas reputational damage — which has the potential to drive users away and so reduce engagement with Meta’s services — poses a far more meaningful threat to its attention-sapping business model, before you even consider the litigation damages liability risk.

Conveniently for Meta, the tech giant has so far been able to contain damage over this massive data-scraping episode to a few media reports — and to some reporting of the fine itself — instead of having to communicate with every single one of the users personally affected by having their information scraped and exposed online.

Although we understand Meta is appealing the DPC’s enforcement, regardless.

Discussing DRI’s lawsuit, which is being lodged in the Circuit Court in Ireland — and targets Meta and the DPC both, with the claim that “justice has been denied” to victims of the data breach — its chair, Dr TJ McIntyre, told TechCrunch: “The data breach point is just one part of a wider complaint that they didn’t make an adequate decision overall with regard to our complainants. The central argument with regard to a security breach is that it makes no sense to say that there’s a notifiable breach if somebody picks the lock but not if you don’t bother locking the door to begin with; i.e. a failure to apply security is a breach, not merely inadequate security.”

“Whether it is a notifiable data breach is in one sense relatively unimportant — it doesn’t affect the fact that there was a violation of duty. However a finding on this point would be helpful in establishing liability towards the individuals affected,” he added.

Meta and the DPC were contacted for comment on DRI’s lawsuit.

A spokesperson for Meta declined to comment. But we understand the company has yet to receive any filings or legal papers regarding the DRI’s case.

The DPC’s deputy commissioner, Graham Doyle, sent the following statement:

It will be appreciated that we cannot comment on the substance of matters that are now before the courts. For information, however, you may wish to note that a decision has not actually been made yet by the DPC in relation to this complaint. It is acknowledged that DRI takes a different view on this point.

The DPC continues to attract criticism over its approach to enforcing GDPR against tech giants and the DRI’s lawsuit joins a variety of legal actions and accusations fired at it since the regulation came into application — which run the gamut from complainants about time wasting and wasted resources, to narrowly scoped or simply non-existent (i.e. never opened) enquiries following complaints, to legal challenges accusing it of inaction and even alleging criminal corruption.

It routinely defends itself — arguing its dealing with a large workload that often involves complex cases that require full attention to due process to minimize the risk of decisions being overturned on appeal.

Depending on what happens with this latest legal challenge over the Facebook data-scraping breach the lawsuit could have wider significance beyond Meta itself — in relation to other GDPR complaints being decided by the DPC that hinge on whether there’s a breach of security — such as a major complaint against Google’s role in real-time bidding (which, more broadly, implicates the third party tracking ad industry as a whole) that the DPC has been formally considering since May 2019 but still hasn’t decided or enforced.

Last year, complainants in that case sued the Irish regulator for inaction over what they’ve dubbed “the largest data breach ever”.

It remains to be seen what the DPC will decide on that (separate) GDPR complaint. But the wider point here is there could be a risk of a GDPR enforcement loophole if sloppily designed systems that are insecure by design — accidentally or even, potentially, cynically and systematically — are allowed to provide a route for data processors to avoid broader security breach liability under the GDPR.

There is also an interesting comparison to be drawn with the Cambridge Analytica Facebook data scandal, which made global headlines back in 2018 — and which Facebook has always strenuously denied represented a breach of user data. Yet it was, similarly, an insecure design — in that case of its developer platform — that led to data on hundreds of millions of users being extracted from Facebook without the knowledge or consent of the vast majority of the affected users in that earlier event.

The “rogue” actor Facebook accused of perpetrating the Cambridge Analytica data heist was an app developer who had agreed to its developer T&Cs. And the company was accused in 2018 by the developer, Aleksandr Kogan, of not really having T&Cs as a result of the company not taking actions to ensure its terms were actively being enforced.

That major global data scandal predated the application of the GDPR — but it’s interesting to speculate what kind of enforcement Facebook would have faced had the episode fallen under the EU regulation. And whether or not Ireland’s DPC would have deemed Cambridge Analytica a security breach or just another failure of data protection by design.

This report was updated with a response from DRI to the DPC’s claim that the letter it sent was only an update, not the outcome/decision on its complaint — and with additional analysis of liability related to the different GDPR breach findings