Facebook is under investigation in the EU for its massive leak of 533 million people’s data – and it could face a fine in the billions

facebook mark zuckerberg
Facebook CEO Mark Zuckerberg appears before a House Financial Services Committee hearing on Capitol Hill in Washington, Wednesday, Oct. 23, 2019.

  • A European regulator announced that it’s investigating Facebook over a leak of 533 million people’s data.
  • Ireland’s Data Protection Commission will probe whether Facebook broke EU privacy laws.
  • Facebook could face a fine of up to 4% of its $86 billion global revenue if found responsible.
  • See more stories on Insider’s business page.

Europe’s leading privacy regulator is investigating whether Facebook broke the law in its handling of a leak of over 533 million people’s phone numbers and personal data.

Ireland’s Data Protection Commission, the body charged with overseeing Facebook’s privacy compliance in the European Union, announced it had opened an investigation into the social media giant on Wednesday. If Facebook is found to have violated the EU’s data rules, it could face a monetary fine of up to 4% of its $86 billion global revenue.

In a statement, the DPC said it believes EU data rules “may have been, and/or are being, infringed in relation to Facebook Users’ personal data.”

The personal data of over 533 million Facebook users were dumped online for free in a hacking forum earlier this month, Insider first reported. The data included phone numbers that users didn’t make public on their Facebook profiles, which were scraped by cybercriminals in violation of Facebook’s terms of service.

A Facebook spokesperson said in a statement to Insider that the company is “cooperating fully” with the investigation, adding that the DPC is probing a now-patched vulnerability in a Facebook tool that made it possible to gather information about a Facebook user by entering their phone number.

“We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place,” the spokesperson said.

When news of the leak first broke, Facebook said the data was scraped due to a vulnerability that the company patched in 2019, and downplayed the issue as “previously reported” – but the company never publicly addressed the vulnerability in detail until the data dump this month.

Facebook also said it does not plan to notify the hundreds of millions affected by the data breach because it’s not confident that it has full knowledge of which users are affected, and because users can’t take steps to fix the issue given that the data has already been published online.

The DPC investigation comes on the heels of pressure from the European Commission. Justice commissioner Didier Reynders said on Monday that he had met with the DPC head Helen Dixon regarding the Facebook leak.

The EU investigation will probe whether Facebook had a legal obligation to notify users and European regulators when it found and fixed the vulnerability. The EU’s data privacy rules, known as GDPR, require such disclosures – but the GDPR only applies to data processed after 2018, and it’s not yet clear if the leaked Facebook data was scraped before the GDPR went into effect.

The DPC said that it has already started questioning Facebook about the data leak and that Facebook has “furnished a number of responses.”

Read the original article on Business Insider

Clubhouse is being investigated by a French internet watchdog, following a complaint over data privacy

clubhouse app
Clubhouse is being investigated over privacy concerns.

  • A French regulator opened an investigation into Clubhouse over privacy concerns.
  • More than 10,000 people signed a French petition calling for the action.
  • CNIL, the watchdog, said it would decide whether GDPR applied to US-based Clubhouse.
  • See more stories on Insider’s business page.

The French data privacy regulator has started an investigation into Clubhouse’s use of data under GDPR, the European data privacy and security law.

The Commission Nationale de l’Informatique et des Libertés said in a statement it received a complaint before opening the investigation. CNIL said it had put questions to Alpha Exploration Co. Inc., the American owner of Clubhouse, on March 12.

“User privacy and security are a top priority at Clubhouse. We are actively working with organizations in the EU on GDPR compliance and have been grateful for their support and partnership,” a Clubhouse spokesperson said in an emailed statement.

The spokesperson added: “As we look to expand our U.S.-based operations into new regions, we will always aim to meet and exceed the data protection laws of all territories in which we operate.”

The company behind Clubhouse, the buzzy, invite-only chat app, doesn’t have a footprint in Europe. As a result, the first question the CNIL investigation hoped to answer was whether GDPR was applicable to the company, the watchdog said.

If GDPR wasn’t applicable, the French government could step in and impose sanctions or fines on the company, if it was found to violate users’ privacy.

“If it was confirmed that the application published by this company does not comply with the GDPR, the CNIL may, if necessary, use its own repressive powers,” said CNIL’s statement, translated from its original French.

Along with the formal complaint filed with the CNIL, the watchdog said it had taken notice of a French petition on the Sum of Us website that had topped 10,000 signatures.

The petition called into question Clubhouse’s use of phone contacts.

During the sign-up flow for the app, Clubhouse asked for access to new users iPhone’s contacts. Users could skip that step, but others who have uploaded their contacts could still locate users who choose not to share their contacts, as Vox reported.

The petition said: “The app’s appalling privacy terms mean that when new members invite a friend to join, the names and numbers of all their contacts are uploaded to a secret database – and possibly shared with third parties.”

An almost identical petition in the UK had more than 25,000 signatures as of Saturday. It called for UK regulators to enforce privacy laws, putting “an end to this blatant violation of our private lives.”

After CNIL announced its investigation, the French language version of the petition added a new note: “VICTOIRE!!!”

Read the original article on Business Insider