Under the GDPR, Facebook Could Be Hit with upto to 1.63 Billion USF Fine for Latest Hack

Facebook was recently hit by a data loss due to a bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.)

Facebook has not reported whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.

This new hack could cost Facebook upwards of $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.

According to the Journal, the European Union’s top privacy watchdog for Facebook, Ireland’s Data Protection Commission, is also struggling to learn information about what exactly happened:

Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.

In an emailed statement, the regulator said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

The Journal wrote that the breach may trigger the maximum fines possible under Europe’s recently enacted General Data Privacy Regulation, which is four percent of a firm’s global revenue for the prior year. That would be $1.63 billion:

Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.

The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

As the Journal noted, European regulators have not used the GDPR to levy fines yet and it remains to be seen whether they would apply the maximum penalty or any at all, especially if they determine Facebook “took appropriate steps to safeguard its users’ data before the hack” and “has cooperated or been in at least partial compliance.” However, the GDPR contains recommendations that companies store as little user data as necessary, potentially exposing Facebook to higher liability. The European Commission also recently demanded Facebook better disclose to users “how their data is being used or face consumer-protection sanctions in several countries,” the paper added.