Facebook may face $1.63 billion EU fine for breach
A European Union privacy watchdog could fine Facebook Inc. as much as $1.63 billion for a data breach in which hackers compromised the accounts of more than 50 million users, if regulators find the company violated the bloc’s strict new privacy law.
Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.
In an emailed statement, the regulator said it is “concerned at the fact that this breach was discovered and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
A spokeswoman for Facebook said that the company will respond to follow-up questions from Ireland’s DPC and keep regulators apprised of further developments. Facebook Chief Executive Mark Zuckerberg said that the social network was taking the breach very seriously, and that it is still trying to determine many details around the scope and impact of the incident.
For Facebook, the breach is a major blow to its efforts to regain trust after a series of privacy and security snafus that have riled users and lawmakers alike.
It marks one of the first major tests of how regulators will apply the breach-notification and data-security provisions of the new European law, dubbed the General Data Protection Regulation, that went into effect earlier this year. It might also be a sign that the law’s threat of massive fines are already changing how firms handle big breaches — forcing them to disclose them faster and more publicly than before.
While there have been other recent breaches under GDPR — such as British Airways’ disclosure in early September that hackers had for more than two weeks intercepted financial details of clients who made bookings — few if any have been on the scale of Facebook’s breach, privacy lawyers say. The main question regulators will face is whether Facebook invested enough in security to avert a breach.
“When you talk about a business like Facebook that has huge resources and a large user base, that is inevitably going to be seen as a higher bar. The expectation should be that they are going to be deploying a very significant amount of resources” on security, said Andrew Dyson, a partner at DLA Piper.
Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of EUR20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.
The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.
“The 72 hours is focusing everyone’s mind,” said a European privacy lawyer who works with big tech firms, but doesn’t represent Facebook.
The occurrence of a breach alone isn’t enough to merit a fine. While the new privacy law’s fines have yet to be tested, EU regulators often decline to issue the maximum possible fine in cases where a company has cooperated or been in at least partial compliance.
The Irish DPC said Facebook notified it of the breach on Thursday evening, which appears to fall within the law’s 72-hour time limit. The regulator complained that the notification “lacked detail,” but privacy lawyers said Sunday that it is common for a company to give an initial notification and then update regulators as they learn more about a breach. A spokesman for the DPC declined to elaborate on his statement until Facebook had replied to the regulator’s questions.
Any EU investigation into the breach will likely center on whether Facebook took appropriate steps to safeguard its users’ data before the hack. But given the newness of the GDPR, what counts as appropriate has yet to be defined by courts.
Facebook, for example, can argue that it invests heavily in security staff and technology and has boosted those expenditures recently. But the EU law recommends companies reduce the risk of breaches by minimizing the amount of user data they collect and keep. That could make any business that, like Facebook, relies heavily on data collection face tougher scrutiny, lawyers say.
“If you are a company that is processing personal data on a large scale, the level of risk is going to be seen as higher, so the level of security will have to be higher,” said Sarah Pearce, who heads the European data privacy and cyber security practice at law firm Paul Hastings, adding that her comments don’t specifically relate to Facebook.
The breach probe in Ireland is the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data.
In September, Facebook Chief Operating Officer Sheryl Sandberg appeared in front of U.S. lawmakers to respond to questions about the company’s business and privacy practices.
Last week, the European Commission, the bloc’s executive arm, demanded Facebook better spell out to consumers how their data is being used or face consumer-protection sanctions in several countries.
Separately, the company also has come under fire from privacy activists who have lodged complaints under the GDPR in several countries, arguing in part that Facebook requires users to agree to its terms of service — including the collection of their personal data — in order to use the social network.
Privacy activists argue that users aren’t freely giving their consent to the terms. Facebook counters that data it collects is necessary to fulfill its contract with users to provide “a personalized experience” — and contractual necessity is also a permitted justification under GDPR. Ireland’s data-protection regulator says it is investigating the issue.
In Germany, the national antitrust regulator last December issued a preliminary finding that Facebook abuses its position as the dominant social network in Germany to strong-arm users into allowing it to collect data about them from third-party sources, such as websites with “like” buttons.
A final decision on that case could come in coming months.