The Irish Data Protection Commission (DPC) is looking into another potential General Data Protection Regulation (GDPR) breach by Facebook, after the company admitted in a statement that a glitch might have allowed unposted pictures from about 6.8 million Facebook users to be accessed by unauthorized individuals.
The DPC is going to investigate the incident in relation to the GDPR that the EU implemented on May 25, 2018. The data protection law was created to give regulators the authority to sanction companies who fail to sufficiently protect personal information. Corporations can face penalties as high as €20 million or 4% of their yearly global turnover, whichever is higher, if they fail to comply with GDPR. If Facebook is fined, the penalty could potentially be as much as €1.4 billion, based on 2017 annual earnings of €35.2 billion.
Facebook is under the jurisdiction of the DPC since its European headquarters is based in Dublin. Graham Doyle, the Head of DPC Communications, said the Irish DPC has obtained several breach notifications from Facebook since the GDPR was introduced. A statutory inquiry into Facebook’s compliance with pertinent conditions of the GDPR commenced this week.
Facebook issued a statement saying that by signing into Facebook and giving authorization to third-party applications to see photos, it may have resulted in an unintentional breach from September 13 to 25.
Facebook Engineering Director Tomer Bar explained to developers that when a person gives authorization for an app to see their pictures on Facebook, it usually allows the app to access photos that people have shared on their timeline. However, the bug essentially allowed the developers to access other photos, including those shown on Marketplace or Facebook Stories.
This is the most recent incident in a busy year for Facebook with regards to data privacy investigations. Another investigation was launched in October when approximately 50 million user accounts were compromised in a Facebook data breach.