An online privacy group is planning to lead a mass legal action by Facebook users against the social network, seeking compensation for the publication of their personal information online.
Digital Rights Ireland (DRI) claims Facebook's response to the recent appearance on the internet of names, phone numbers, email addresses, location data and biographical information of up to 533 million users, including many in Ireland, has been inadequate.
"The scale of this breach, and the depth of personal information compromised, is gobsmacking," said Antoin Ó Lachtnain, Director of DRI.
"This will be the first mass action of its kind but we're sure it won't be the last. The laws are there to protect consumers and their personal data and it's time these technology giants wake up to the reality that protection of personal data must be taken seriously."
On 3 April, the user data appeared online for free on an online hacking forum.
Facebook said at the time that the information, some of which had already appeared online a number of years ago, was scraped, but not hacked, by "malicious actors" through a vulnerability in its tools prior to September 2019.
"Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this," the company said.
The social network has also claimed it patched the vulnerability in 2019, preventing any further data from being harvested.
On Wednesday, however, the Data Protection Commission (DPC) launched a formal inquiry into the matter to establish whether the incident constituted a breach of the General Data Protection Regulation (GDPR).
Under the law, the maximum fine that can be imposed for a breach is 4% of global turnover or €20m.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
But Digital Rights Ireland, which complained to the DPC about the incident, thinks forcing large companies to pay money to users whose privacy rights they have violated is the best way to make them become legally compliant.
It is, therefore, now preparing to lead a legal action on behalf of users, because it claims Facebook failed to implement privacy by design and by default to protect this user data.
It also claims the company failed to notify those affected when the leak occurred and also failed to notify the Data Protection Commission.
The organisation, which has been successful in a number of high-profile data protection legal actions in the past, is inviting Facebook users in Europe who think their data was included in the leak to join the mass action lawsuit.
Digital Rights Ireland said it is unclear how many people might put their cases forward, but it estimates it could be in the thousands.
Those who take part will have to pay a still-to-be-decided upfront contribution to Digital Rights Ireland to cover the costs of the case.
If the case were to prove unsuccessful, they would lose that money, but would not be liable for any further costs which would fall on Digital Rights Ireland.
If it does not go ahead, they would get their money back and if the action were to be successful, they may be awarded damages.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
Class actions are not allowed under the Irish legal system, but under Article 80 of the GDPR, certain specified bodies may initiate a mass action on behalf of individuals on a particular issue once they have a mandate from them.
More information on the plan is available at facebookbreach.eu.
