Support Centre

International: Regulators issue statements on Facebook security breach affecting 533M individuals

The Irish Data Protection Commission ('DPC') issued, on 6 April 2021, a statement on recent reports that personal information from Facebook, Inc. had been made publicly availably. In particular, the statement highlights that this published dataset appears to comprise a dataset previously scraped from Facebook in 2018, which was not notified then, since it had occurred before the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into force, together with some additional records which might have been scraped at a later unidentified period.

Furthermore, the statement notes that the DPC and Facebook are currently investigating the matter, with Facebook providing that, since the data appears to have been collated by third parties and potentially stems from multiple sources, extensive investigation is required to confidently establish its provenance. Lastly, the statement outlines the risks arising from this incident, including users being spammed for marketing purposes or unauthorised access to personal data by third parties.

Separately, Facebook issued its own statement addressing recent reports, confirming that only a limited set of information had been obtained, which did not include financial information, health information, or passwords, and that it had taken measures in 2019 to address such vulnerabilities.

You can read the DPC's statement here and Facebook's statement here.

In light of the above, a number of regulators have issued statements addressing the ongoing Facebook breach. 

Hong Kong

The Office of the Privacy Commissioner for Personal Data ('PCPD') issued, on 4 April 2021, a compliance check on Facebook related to a suspected data breach. In particular, the PCPD clarified that following media reports of the data breach, they initiated a compliance check with Facebook Hong Kong to ascertain the particulars of the breach, and the number of Hong Kong users affected. Furthermore, the PCPD noted that it had reminded Facebook to notify, as soon as possible, the affected users to mitigate any risks associated with the breach. 

You can read the press release here

UPDATE (15 April 2021)

The PCPD issued, on 14 April 2021, a statement on the response from Facebook's compliance check. In particular, Facebook notified the PCPD that data of approximately 2,937,841 Hong Kong individuals may be included in the dataset of the alleged incident, which resulted from online scraping of publicly available data in 2019. Furthermore, the PCPD signposted Facebook's contact form for any user that suspects or wants to ensure if they have been affected by the scraping, and will continue to follow up on the incident.

You can read the press release here, and access Facebook's contact form here.

Philippines

The National Privacy Commission ('NPC') announced, on 5 April 2021, that it is investigating Facebook with regards to allegations that the personal data of over 800,000 Filipino users had been compromised.

You can read the press release here.

Brazil

The Protection and Consumer Defence Foundation of the State of São Paulo ('PROCON-SP') issued, on 6 April 2021, a statement on Facebook's recent data leak. In particular, PROCON-SP requested Facebook to clarify issues, such as the purpose and legal basis for processing of the personal data of Brazilian citizens, whether consent was required, how consent was obtained, and the measures taken to comply with Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'). Furthermore, PROCON-SP requested Facebook to explain its policies regarding data disposal and storage periods. In addition, PROCON-SP sought Facebook to confirm if an incident had occurred, and if so, the causes and the measures it has taken addressed, as well as the plans intended to repair the resulting damage and prevent the failure from reoccurring.

Finally, PROCON-SP noted that Facebook must respond by 9 April 2021.

You can read the press release, only available in Portuguese, here.

France

The French data protection authority ('CNIL') released, on 6 April 2021, guidance for individuals on how to limit the negative consequences of the data leak from Facebook for their personal information. In particular, CNIL specified, among other things, the categories of personal data which were potentially involved in the data leak, but clarified that it did not concern user passwords or private messages. Furthermore, CNIL stated that it had received complaints following the leak and that it will work in cooperation with the Irish DPC to determine the extent of the violation and examine the security measures taken by Facebook in prevention of and following the leak, as well as its notification to data subjects of the leak.

You can read the press release, only available in French, here.

Italy

The Italian data protection authority ('Garante') published, on 6 April 2021, a statement calling Facebook to immediately make a service available to Italian users to check whether their telephone number or email address has been affected by the data leak. In particular, Garante highlights that such measures need to be taken to limit any further risk to more than 36 million Italian Facebook users, since telephone numbers could be used for different illegal purposes, ranging from unwanted calls and messages to serious threats such as the so-called 'SIM swapping.' In addition, Garante warns that the processing of personal data deriving from this violation is prohibited by privacy legislation, since such information is the result of unlawful processing, and draws the attention of all users to the importance of being wary of any anomalies connected to their telephone numbers, among others.

You can read the press release, only available in Italian, here.

Russia

The Federal Service for the Supervision of Communications, Information Technology and Mass Communications ('Roskomnadzor') announced, on 6 April 2021, that it had sent a request to Facebook to provide further information on the impact of the data breach on Russian users. In particular, the Roskomnadzor noted that the incident may potentially affect nearly 10 million users from Russia and involve information such as names, locations, phone numbers, and email addresses. In this regard, the Roskomnadzor also demanded Facebook to take all measures to prevent such leaks, citing its previous efforts to bring Facebook in line with data localisation requirements.

You can read the press release, only available in Russian, here.

USA

The Electronic Privacy Information Center ('EPIC') issued, on 6 April 2021, a notice on the recent press reports that sensitive personal data from more than 500 million Facebook users was posted online.

You can read the press release here.

Iceland

The Icelandic data protection authority ('Persónuvernd') announced, on 6 April 2021, that the personal information of approximately 31,000 Icelanders may have been affected by the Facebook leak. In particular, the Persónuvernd highlighted that the unauthorised disclosure of information may increase the likelihood of individuals being exposed to fraud via emails and/or telephone. 

You can read the press release, only available in Icelandic, here.

Belgium

The Belgian data protection authority ('Belgian DPA') announced, on 7 April 2021, that 3 million Belgian accounts had been affected by the data leak from Facebook. In response, the Belgian DPA noted that it had reached out to the Irish DPC and that it had called for Facebook to take responsibility and to provide further information to users about the impact of the leak and appropriate measures that users can now take without delay. Further, the Belgian DPA suggested various measures which users can now take to prevent potential misuse of their personal data.

You can read the press release in Dutch here and in French here.

Colombia

The Colombian data protection authority ('SIC') announced, on 7 April 2021, that it will investigate Facebook Inc., Facebook Ireland Limited and Facebook Colombia SAS, to establish whether they complied with Colombian legislation regarding the principles of security and access, among others, following statements released by other data protection authorities on Facebook's security incident.

You can read the press release, only available in Spanish, here.

New Zealand

The New Zealand Computer Emergency Response Team ('CERT NZ') issued, on 7 April 2021, an alert concerning recent reports that information from Facebook users from 2019 had been made publicly available. In this regard, CERT NZ provided a number of recommendations to mitigate potential misuse of this data, including understanding scams and fraud, using a password manager, and enabling two-factor authentication.

You can read the press release here.

Slovenia

The Information Commissioner ('the Commissioner') published, on 7 April 2021, a statement on the investigation of the data leak from Facebook by the Irish DPC. In addition, the statement calls users to pay attention to any phishing messages or calls, and recommends changing passwords to all accounts where their email addresses or phone numbers are used for authentication.

You can read the press release, only available in Slovenian, here.

Luxembourg

The Luxembourg data protection authority ('CNPD') released, on 8 April 2021, a statement on the data leak from Facebook. Specifically, the CNPD stated that the leak appears to have taken place between June 2017 and April 2018, and that the cause of the leak had been addressed. 

You can read the press release, only available in French, here.

Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 14 April 2021, a statement providing information on the Facebook data leak. In particular, the HmbBfDI outlined how individuals can check to see if their data has been affected and what they should do if it has. Specifically, the HmbBfDI stated that affected individuals should change any passwords, email addresses, and telephone numbers associated with the account.

Furthermore, the HmbBfDI warned of phishing via SMS, known as 'smishing', whereby short messages are sent which include a link leading directly to malware on phishing pages and recommended that individuals delete these messages immediately and ensure their smartphones have run the latest security update.

The HmbBfDI also noted that it cannot carry out its own investigation directly on Facebook on the basis of the GDPR one-stop shop rule.

You can read the press release, only available in German, here.

Digital Rights Ireland

Digital Rights Ireland ('DRI'), a civil rights group, invited on, 16 April 2021, victims of the recent Facebook data breach to join a legal case against the company. In particular, the DRI highlighted that it will take action against Facebook to recover damages. Having issued a complaint to the Irish DPC, the DRI confirmed that it is now preparing to take the case to the Irish courts on behalf of individuals affected by the breach. In doing so, the DRI alleged that Facebook had failed to implement Privacy by Design and by Default to protect user data and to notify those affected when the leak occurred as required by the GDPR.

You can read the press release here.