Facebook has been facing a number of privacy issues ever since the new regulation became effective on May 25th, 2018. Even before the GDPR, there have been certain setbacks when it comes to Facebook protecting the users’ personal information. However, the complexity of this matter shouldn’t come as a surprise, given that this social media giant holds an enormous database, having 2.32 billion registered users in 2018, according to research conducted by statista.com

Before GDPR

Under the old UK regulation known as the Data Protection Act, Facebook was fined with $645,150 for two data breaches: failure to protect its users’ information and failure to transparently show how data was harvested by others. Those cases were related to Cambridge Analytica – a political data company hired in President Trump’s 2016 election campaign that gained access to private information of more than 50 million Facebook users. The company provided special tools that could identify the personalities of American voters and influence their behavior. Consequently, the data was utilized in the presidential campaign and referendum in 2016. The penalty for Facebook was the maximum allowed under the DPA, while today it would have been much bigger, under the new GDPR regulation. Nevertheless, this case caused irreparable damage when it comes to Facebook’s reputation.

First case

On the 25th of May last year, the very day that GDPR came into force, Max Schrems, head of a privacy lobby group NOYB (None Of Your Business) filed a case against Facebook, claiming that the company “blackmailed” users into providing their personal information by leaving them with only two options: whether to accept the new rules and provide more data than necessary to operate the service, or deactivate their account.

According to one-stop shop mechanism, matters relating to Facebook are under the jurisdiction of Irish authority, since Facebook’s headquarters are based in Dublin.

The 3 bugs of “View As” option

Recent events set a number of changes into motion, as Facebook updated many of their privacy settings. However, those updates weren’t enough to prevent the breaches in the following period. In September 2018, Facebook disclosed a breach of its network that affected nearly 50 million accounts. The issue was related to the option “View As”, which allows the users to see what their profile looks like to people that are not on their friend list. Hackers took advantage of this feature, stealing the access tokens (digital keys used to keep users logged in once they enter their username and password) of 50 million users. Three bugs were to blame for this:

  1. The video uploader shouldn’t have appeared in certain cases (for instance around the posts encouraging people to wish a Happy Birthday);
  2. The video uploader incorrectly used SSO to generate an access token that had the permissions of the Facebook mobile app;
  3. When the video uploader showed up in “View As” mode (caused by the first bug), and then generated an access token (caused by the second bug), this access token was generated not for the viewer, but for the user they were looking up.

Facebook acted in accordance with the regulation’s Act 44 by notifying the affected users and disabling the infamous “View As” option. The Irish Data Protection Commissioner was notified of the breach within 72 hours, as the regulation states. However, the information provided was insufficient. 

Two fines issued by Italian authorities

In December 2018, Italy’s Competition Authority issued two fines, totaling one million euros, as they found that Facebook had breached GDPR by:

  1. Misleading users in the sign-up process about the extent to which the data they provide would be used for commercial purposes;
  2. Emphasizing only the free nature of the service, without informing users of the “profitable ends that underlie the provision of the social network”, and therefore encouraging them to make a decision of a commercial nature, which they may not have made having all the facts straight;
  3. Forcing an “aggressive practice” on registered users by transmitting their data from Facebook to third parties, and vice versa, for commercial purposes.

(not)Private photos

The very same month, another major bug appeared. Facebook announced that private photos of 6.8 million users were accessible to up to 1,500 different applications built by 876 different developers for almost two weeks until the company noticed the issue and addressed it. The bug allowed third-party applications to use private photos without given consent of the owner. This time, Facebook waited nearly two months to notify the data protection authorities, as well as the affected users, about the breach.

According to the gdpr.eu portal, Facebook has tried different strategies of bypassing the application of the GDPR. Their first attempt at ignoring the regulation was the case of “View As” bugs, when they provided the authorities with insufficient information, compromising a proper investigation. Secondly, they ignored the GDPR rule which clearly states that a privacy breach should be reported within 72 hours, claiming that an unlimited amount of time to investigate the breach is granted before coming clean to authorities.

Struggles continued in 2019

Canada’s federal privacy commissioner initiated an investigation against Facebook in March 2018. During this investigation, it was discovered that the company:

  1. Failed to obtain consent from friends of users, and did not provide clear information in relation to disclosures that could occur years later, to unknown apps for unknown purposes. Also, it relied, unreasonably, on users to provide consent on behalf of each of their friends to release their information to an app, even though the friends would have had no knowledge of such disclosure;
  2. Had inadequate safeguards to protect user information, as they relied on contractual terms with apps to protect against unauthorized access to users’ information, but then utilized a largely reactive, and thus ineffective monitoring to ensure compliance with those terms. Also, Facebook was unable to provide evidence of enforcement actions taken in relation to privacy-related contraventions of those contractual requirements;
  3. Failed to be accountable for the user information under their control; they didn’t take responsibility for failing to provide privacy protection for their users.

However, Facebook’s privacy drama did not stop there. The latest issue emerged in April this year when an Australian IT company UpGuard revealed that Facebook users’ data has been leaked on unsafe servers with no security regulations.

Facebook permitted a Mexican digital publisher Cultura Colectiva to access the data, which has later been uploaded to Amazon Web Service (AWS) cloud servers.