• Mohan Chathuranga

How Facebook fines could go up to $1.6 Billion

Updated: Oct 2, 2018

What factors contribute in deciding the fine for facebook in leakage of European Citizen's Personal Data. This will be a real test for newly formed EU General Data Protection Regulation.

Facebook faced another serious injury last Friday as it announced that that it had discovered an attack that exposed the personal details of 50 million accounts, including their senior management. Hackers had full access to any of the targeted accounts — essentially, they could do whatever you can do when you’re logged in. According to the Journal, Facebook’s lead European privacy regulator, Ireland’s Data Protection Commission (DPC), wants more details from the social network about the data breach’s scope, including information on EU users that were impacted. The DPC has also posted updates about its inquiry to its Twitter account:

@DPCIreland is awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users. #dataprotection #GDPR #eudatap

The attack also gave the hackers access to other services that people logged into using their Facebook account, such as Tinder, Instagram, Spotify and Airbnb.

To break in, the attackers exploited an interaction between several different bugs in Facebook’s code, tricking the site into handing over the digital keys to individual accounts. When using the “View As” feature, which lets you see what your profile looks like to another user, a video-upload box was incorrectly left activated. Using this box to upload a video then generated a key that gave access to that other person’s account.

It marks one of the first significant tests of how regulators will apply the breach-notification and data-security provisions of the new European law, dubbed the General Data Protection Regulation, that went into effect earlier this year. It might also be a sign that the law’s threat of massive fines are already changing how firms handle big breaches—forcing them to disclose them faster and more publicly than before.

Under the GDPR, the question of blame largely hinges on whether the company was negligent, ignoring basic practices that could have prevented the breach. We don’t know enough about the attack to judge Facebook’s response at this point, but what’s happened in public has been enough to satisfy some critics. “Facebook has done a decent job so far based on what we know, including the resetting of the tokens,” says Shane Green, founder of, an alternative platform focused on data privacy. “The forensics on this stuff isn’t easy, and it’s a tricky balance to give people warning about worst case without scaring them to death or causing an overreaction.”

The key deciding points of the Administrative Fines under GDPR would be:

  • The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of EU users affected and the level of damage suffered by them;

  • the intentional or negligent character of the infringement;

  • any action taken by the facebook to mitigate the damage suffered by EU users;

  • the degree of responsibility of facebook taking into account technical and organisational measures implemented

  • any relevant previous infringements by facebook;

  • the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

  • the categories of personal data affected by the infringement;

  • the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the facebook notified the infringement;

Based on these facts and facts highlighted in EU GDPR article 83 paragraph 4 and 5 facebook could be fined for 2% or 4% of global annual turnover. If the bug was previously reported and facebook has failed to patch it by any chance this will become a nightmare for the tech giant.

48 views0 comments