Facebook faces $ 1.63 billion fine in Europe for data breach

The Irish Data Protection Commission, which is Facebook's chief regulator of privacy in Europe, said Saturday it asked the company to have more information about the nature and extent of the violation. especially on EU residents who may be affected.

In a statement sent by email, the regulator is "concerned that this breach was discovered Tuesday and affects several million user accounts, but Facebook is unable to specify the nature of the violation and the risk to users. "

A spokeswoman for Facebook said on Sunday that the company would answer additional questions from the Irish DPC and inform regulators of future developments. Facebook chief executive Mark Zuckerberg said Friday that the social network was taking the offense very seriously and was still trying to pinpoint many details regarding the scale and impact of it. incident.

For Facebook, this violation is a blow to his efforts to regain confidence after a series of snafus of privacy and security that have angered users and lawmakers.

This is one of the first significant tests of how regulators will apply the provisions of the new European law on the notification of infringements and data security, called the General Data Protection Regulation. entered into force earlier this year. It could also be a sign that the threat of massive fines imposed by the law is already changing the way companies handle big offenses – forcing them to disclose them faster and more publicly than before.

Although there have been other recent violations of the RGPD – such as the disclosure by British Airways in early September that hackers have intercepted for over two weeks the financial details of customers who have made reservations -, privacy lawyers say. The main question regulators will face is whether Facebook has invested enough in security to avoid a breach.

"When you talk about a company like Facebook, which has huge resources and a large number of users, this will inevitably be perceived as a higher bar. We expect that they will deploy a very large amount of resources on security, "said Andrew Dyson, a partner at DLA Piper.

Under GDPR, companies that do not do enough to protect the data of their users incur a maximum fine of 20 million euros (23 million dollars), or 4% of the annual turnover of the previous year. The maximum fine of Facebook would be $ 1.63 billion using the widest calculation.

The law also requires companies to notify regulators of violations within 72 hours, under penalty of a maximum fine of 2% of the global business figure.

"The 72 hours are at the center of our concerns," said a European lawyer in the field of privacy protection working for large technology companies but not representing Facebook.

The occurrence of a violation is not sufficient to justify a fine. Although the fines of the new law on the protection of privacy have not yet been tested, EU regulators often refuse to impose the maximum possible fine in cases where a company has cooperated or is at least partially shaped.

The Irish DPC said that Facebook had informed her of the violation on Thursday night, which seems to fall within the 72-hour deadline set by law. The regulator complained that the notification was "unclear," but privacy lawyers said on Sunday that it was common for a company to give an initial notification and then update regulatory authorities as they learn more about a violation. A spokesman for the DPC refused to explain his statement until Facebook had answered the regulator's questions.

Any EU investigation into the offense is likely to determine whether Facebook has taken appropriate measures to protect the data of its users prior to the hacking. But given the novelty of the RGPD, the courts have not yet defined what counts as appropriate.

Facebook, for example, can claim that it invests heavily in security and technology staff and that it has recently increased these expenses. However, EU legislation recommends companies reduce the risk of infringement by minimizing the amount of user data that they collect and retain. This could mean that any company that relies heavily on data collection, such as Facebook, faces more scrutiny, lawyers say.

"If you are a company that processes personal data on a large scale, the level of risk will be perceived as higher, so the level of security will have to be higher," said Sarah Pearce, who runs the European database. . The law firm Paul Hastings practices privacy and cybersecurity, adding that his comments do not relate specifically to Facebook.

The breach investigation in Ireland is the latest legal threat to Facebook by the US and European authorities regarding the processing of user data.

In September, Facebook's chief operating officer, Sheryl Sandberg, appeared before US lawmakers to answer questions about the company's privacy practices and practices.

Last week, the European Commission, the bloc's executive body, asked Facebook to better explain to consumers how their data is used or under penalty in several countries.

Separately, the company has also been targeted by privacy activists who have filed GDPR complaints in several countries, arguing in part that Facebook requires users to agree to its terms of service, including the collection of the social network.

Privacy activists argue that users do not freely give consent to conditions. Facebook counters believe that the data collected is necessary to fulfill the contract with users in order to provide "a personalized experience". Contractual necessity is also a permitted justification under the GDPR. The Irish data protection regulator says he is investigating the matter.

In Germany, the national antitrust regulator released a preliminary finding last December that Facebook was abusing its dominant social network position in Germany to allow its users to collect data from third-party sources such as "buttons."

A final decision on this case could come in the coming months.

-Deepa Seetharaman contributed to this article.

Write to Sam Schechner at [email protected]