Ireland’s online privacy watchdog has launched an investigation into Facebook after reports that data belonging to more than 500 million users worldwide was leaked online.
The Data Protection Commission (DPC), which is responsible for upholding privacy rights across the EU, said it had engaged with the social media giant about the issue in a statement on Wednesday.
The DPC said it is of the opinion that “one or more” data protections provisions may have been breached by Facebook.
The breach has affected 533 million people around the world, including about 1.5 million Irish users.
Information such as names, phone numbers, email addresses and other personal details contained on private Facebook profiles was made publicly available in an unsecure, searchable database.
On Wednesday, the DPC said it had launched an inquiry “in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet”.
In a statement, it said: “This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide.
“The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.
“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data.”
The DPC said it has to determine whether Facebook Ireland had complied with its obligations “in connection with the processing of personal data of its users”.
Facebook has previously downplayed the problem, saying it had happened prior using a method that can no longer be used.
In a blog post last week, product management director Mike Clarke said “malicious actors” obtained the data not through hacking, but through a process known as “scraping”.
The method uses automated software to collect public information on the internet, which can then be compiled in a database.
Mr Clarke wrote: “The methods used to obtain this data set were previously reported in 2019. This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.
“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”
A Facebook company spokesperson said: “We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services.
“These features are common to many apps and we look forward to explaining them and the protections we have put in place.”