The Irish Data Protection Commission (equivalent to our AEPD) has announced the opening of an investigation to clarify if the massive data leak that we met earlier this month would have violated European standards.
Recall that this leak revealed 533 million phone numbers (along with other personal data), of which 11 million corresponded to Spanish numbers. And despite this, Facebook Europe did not notify the data supervisor, who had to find out, like the rest of Europeans, through the media.
To that is added that Facebook has declared no plans to report what happened, individually, to the 533 million affected users, despite the risk of spam (or worse, phishing actions) as a result of the leak.
First steps of the investigation
The IDPC, primarily responsible for the oversight of Facebook's European operations, as its physical headquarters are there, it has announced in a statement that it is launching this investigation on its own initiative, since
"Having considered the information provided by Facebook Ireland with respect to this matter to date, it is of the opinion that one or more provisions of the GDPR and / or the Data Protection Act 2018 may have been or are being violated in what is refers to the personal data of Facebook users ".
Subsequently, Facebook has released statements in which claims to be "fully cooperating with IDPC in its investigation" and trust in being able to explain the features and protections implemented in your platform.
Who watches the watchman (when he's lazy)?
In the IDPC statement, states that the investigation is carried out on its own initiative, which is correct in the sense that it has not been initiated after a formal complaint from any European citizen or entity ...
... however, already on Monday the European Commissioner for Justice, Didier Reynders, pressed for this to Helen Dixon, head of the IDPC, tweeting that the Commission was "closely following the case" and that "it is committed to supporting the national authorities."
It should be remembered here that the IDPC is a body that has been denounced on multiple occasions for its ineffectiveness: As an example of this, it did not issue its first fine for violation of the RGPD until last January, despite the fact that the rule has been in force for three years and that almost all the European subsidiaries of the large American technology companies are based in Ireland.
Without going any further, last month the European Parliament passed a resolution in which explicitly expressed "great concern" about the functioning of the IDPC, especially regarding their delay, and criticized their tendency to close their cases without imposing sanctions.
Via | TechCrunch