Meta, Facebook’s parent company, has just been fined €265 million (about $275 million) by the Irish Data Protection Commission (Commission) following an inquiry that commenced in April, 2021. More specifically, on November 28, 2022, the Commission announced its finding that Meta Platforms Ireland Limited, the data controller of Facebook’s social network, breached Articles 25(1) and 25(2) of the General Data Protection Regulation (GDPR).
Articles 25(1) and 25(2) of the GDPR involve data protection by design and default. This means that controllers must take a holistic view of the situation at the outset (such as taking into account the nature, scope, context, purposes, and risks of processing) and ensure that by default, personal data is in fact protected at the time of processing and does not allow for unauthorized access. The ultimate goal of these provisions is to keep in mind from the very beginning of the processing the need to protect the rights of data subjects and use necessary data protection measures and safeguards.
What happened in this case? There were media reports of a collated dataset of Facebook personal data that had been made available on the Internet, and this prompted an inquiry. According to the Commission, the scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited between May 2018 and September 2019. The Commission questioned whether the company ensured that it was protecting data by design and default. This led to an examination of the implementation of technical and organizational measures taken by the company. The inquiry process involved cooperation with all of the other data protection supervisory authorities within the European Union—and those supervisory authorities agreed with the Commission’s decision that Meta did not comply with sections 25(1) and 25(2) of the GDPR.
Accordingly, the Commission imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. And, the Commission imposed administrative fines totalling €265 million.
Given that personal data (including email addresses, birthdates, and mobile phone numbers) of more than 500 million Facebook accounts had been posted to a low-level hacking forum and the personal information of hundreds of millions of Facebook users’ accounts were made freely available, the impact on users was considerable. Although Facebook’s original response was to downplay the situation and suggest that this was a data dump involving old data and potentially a data scrape of public profiles by malicious actors using an importer feature (but the vulnerability was fixed), it became clear in a recent Meta statement that the company currently takes the decision seriously. In fact, it has put in place several measures including applying rate limits and deploying technical tools to combat suspicious automated activity, along with providing users with controls to limit the public visibility of their information.
What can we take from this?
It must be noted that the European Union’s GDPR contains very strong privacy protections such as the above-mentioned sections 25(1) and 25(2). Its application is set out in Article 3, where it explains the particular times where the GDPR applies to controllers or processors who are outside the European Union (offering of goods or services to such data subjects in the European Union, or monitoring of data subjects’ behaviour as far as their behaviour takes place within the European Union).
Canada’s federal privacy law that applies in the consumer context, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not currently have such privacy by design and default provisions. That said, there are some Canadian sources that explain the concept of Privacy by Design and help organizations that wish to incorporate best practices into their policies and procedures, namely the seven foundational principles of Privacy by Design by Ann Cavoukian.
The lesson from this story is that Meta failed to ensure from the outset of the processing that proper technical and organizational measures were taken and that the rights of data subjects were protected by design and default.
How can Canadian organizations ensure that necessary safeguards are in place from the outset? They can refer to Principle 7—Safeguards in Schedule 1 of PIPEDA. To this point, it is important to explore methods of protection, including physical measures, organizational measures, and technological measures that are appropriate in the circumstances. Furthermore, the Office of the Privacy Commissioner has a helpful guidance document, Interpretation Bulletin: Safeguards, to which organizations may refer. Essentially, the document states that security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Moreover, it highlights that personal information must be protected by security safeguards that are appropriate to the sensitivity of the information—that is, more sensitive information requires higher level of protection.
In cases where there has been a breach of security safeguards, organizations must act quickly and refer to Division 1.1 – Breaches of Security Safeguards (sections 10.1 to 10.3 of PIPEDA) and the Breach of Security Safeguards Regulations (SOR/2018-64)in order to comply with reporting and record-keeping obligations in a timely manner.
Please note that any views expressed in this article are solely the views of the author.