Facebook Data Breach Prompts Eye-Watering Fine

A Data Protection Authority (DPA) in Europe has recently issued Facebook with a significant €1.2 million fine for two ‘serious’ and one ‘very serious’ breaches of data protection law.

The investigation, which formed part of a joint initiative by Data Protection authorities across Belgium, France, Hamburg, and The Netherlands, revealed that Facebook users’ personal data, e.g. political views, religious beliefs, location, and other personal preferences had been collected without the users’ informed consent. Data subjects were also left unaware as to the purpose of sharing their information with Facebook (and other third-party web pages), and the use of it thereafter.

The breach equating to ‘very serious’ in the eyes of the DPA, which amounted to €600,000 of the total fine, was the discovery that Facebook did not ‘obtain unequivocal consent, specific and informed’ from its users before processing types of data (known as ‘special categories’ of data in legislative speak) for marketing purposes.

When issuing the fine, the DPA also took into consideration that users are not informed about how their data is collected via use of cookies on the site, some of which the social network categorised as ‘secret’. Webpages which are not affiliated with Facebook, yet contain a ‘like’ button for the network all the same, were also shown to be in breach – some of them collecting data exclusively for marketing purposes without providing clear information to the user about what data will be collected and how it will be processed.

Additionally, it was shown that Facebook’s privacy policy was below par in terms of transparency, containing general formulations and statements that would be unclear to the average user and which required readers to click through a multitude of links in order to access the policy in its entirety.

Finally, The DPA were able to prove that Facebook did not, in fact, delete personal data upon user request (e.g. termination of account), but instead retained the data via cookies for up to seventeen months – a time period which extends way beyond the original purpose for collecting it in the first place.

Is your organisation fully aware of Data Protection directives and the right to be forgotten legislation?

For more information on VinciWork’s Data protection, GDPR, and Information Security courses and microlearning courses, please don’t hesitate to get in touch.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

CLOSE

How are you managing your GDPR compliance requirements?

James

How are you managing your GDPR compliance requirements?

How are you managing your GDPR compliance requirements?

Experience Exceptional.

Learning that matters.

Software that works.

Experience Excellence.