Facebook Data Breach Could Mean Up to $1.63 Billion in Fines from the EU
On September 28, 2018, social media giant Facebook disclosed that it had discovered a cyber breach in its security which allowed hackers to access the information of approximately 50 million accounts. Of those 50 million accounts around 10 percent (5 million) are based in the EU according to the Irish Data Protection Commission (DPC). Facebook’s European subsidiary is headquartered in Ireland so the Irish DPC is the organization which regulates Facebook in Europe. Now, the DPC is considering opening a formal investigation into Facebook which could generate millions of dollars in fines under strict new rules in the region. In a statement to CNBC the Irish DPC said that it was awaiting “more detailed numbers” and that it was assessing whether to open a formal probe into Facebook.
The Facebook data breach will be the first major test of Europe’s tough data protection laws introduced in May known as General Data Protection Regulation (GDPR) which regulates any company that handles the data of EU citizens and puts strong controls on how that information is used and stored. A big part of GDPR concerns data breaches and includes punishments for companies who fail to notify regulators about data breaches within 72 hours of the incident happening. Firms can also be fined if they are found to have not done enough to prevent the data breach or went against any of the principles around the processing of information outlined in GDPR legislation. If found to have breached GDPR, Facebook could face a maximum fine of up to 4 percent of its annual global turnover, around $1.63 billion of its $40.65 billion turnover from 2017.
In recent years the EU has been cracking down hard on U.S. technology companies. Last year, the EU fined Google 2.4 billion euros ($2.77 billion) after it determined that the search engine violated antitrust rules with its online shopping practices. In early 2018, the EU placed another fine on Google for another 4.34 billion euros accusing the company of abusing its dominant position with its Android mobile operating system.
In the United States, where no equivalent to the GDPR exists, the possibility of such a fine for this incident is more remote. However, Facebook is still facing a Federal Trade Commission investigation into whether several data breaches including the Cambridge Analytica scandal and a “data-scraping incident” which affected most of the websites 2.2 billion users violated a 2011 consent decree on user privacy, which could result in record fines of over a billion dollar. It’s unclear so far how the two investigations may intersect. Facebook shares are down nearly 8 percent year-to-date. This data breach is just the latest of the major issues the company has faced this years, amidst the departure of Instagram co-founders Kevin Systrom and Mike Krieger. While Europe has moved first on a major data protection law, politicians in the US have yet to introduce a nationwide piece of legislation in likeness to European data protection laws. Several tech companies, including Amazon and Google, recently appeared in front of law makers, saying that they would be happy to support a federal privacy bill.