The Irish Data Protection Commission (DPC) has opened a second inquiry into Facebook after the social network revealed a bug that exposed 6.8 million users' photos.
The DPC said it's investigating whether Facebook had breached EU privacy rules following the glitch, disclosed on Friday, that allowed some 1,500 software apps to access private photos for 12 days.
"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos," Facebook said in a blog post. "We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018."
Cambridge Analytica and Facebook: What happened and has it impacted any votes? General Data Protection Regulation (GDPR)
Under the GDPR, companies have 72 hours to report data breaches to authorities or face a potential fine of 20 million or four percent of annual turnover, whichever is higher. However, this is not the first breach Facebook has suffered since the GDPR came into force.
"The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018," a DPC spokesperson said. "Reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook's compliance with the relevant provisions of the GDPR."
Facebook's European infrastructure is mainly established in Ireland, where it has datacentres and benefits from the One Stop Shop mechanism provided for in the GDPR. This rule means that organisations carrying out cross-border personal data processing activities will only have to deal with one supervisory authority.
For Facebook, this is the DPC. The Irish data regulator arguably has the biggest data processing organisation to watch over and also one of the most problematic considering how torrid a year Mark Zuckerberg and his creation have had.
Luckily for Zuckerberg, the GDPR only came into force 25 May, because the platform came under heavy scrutiny at the start of 2018 following the Cambridge Analytica scandal. From there the company has found itself in one controversy after another, such as the massive data breach the site suffered in October, which the DPC also investigated.
