APD/GBA (Belgium) - 29/2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 78: | Line 78: | ||
The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta). | The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta). | ||
Following a suspected data leakage | Following a suspected data leakage concerning around 3,000,000 Belgian Facebook users, on 7 April 2021, the DPA called on Belgian citizens to check on the website https://benikerbij.be whether their data were part of the data leakage and if necessary to lodge a complaint with the DPA. Following this call, 1,113 complaints were lodged. | ||
On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA. In September 2022, under <nowiki>[[Article 60 GDPR|Article 60]]</nowiki> GDPR, the DPC submitted a draft of decision to various DPA’s, including the Belgian who communicated comments. In particular, the Belgian DPA considered that data scraping should be considered a data breach and that Meta had a duty to inform its users of the data leakage. | On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA. In September 2022, under <nowiki>[[Article 60 GDPR|Article 60]]</nowiki> GDPR, the DPC submitted a draft of decision to various DPA’s, including the Belgian who communicated comments. In particular, the Belgian DPA considered that data scraping should be considered a data breach and that Meta had a duty to inform its users of the data leakage. |
Revision as of 09:41, 21 March 2023
APD/GBA - 29/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 25(1) GDPR Article 25(2) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 07.04.2021 |
Decided: | 17.03.2023 |
Published: | |
Fine: | n/a |
Parties: | Meta |
National Case Number/Name: | 29/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | ls |
The Belgian DPA rejected complaints against Meta following a data leakage, considering that it was bound by the DPC decision on that matter.
English Summary
Facts
The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta).
Following a suspected data leakage concerning around 3,000,000 Belgian Facebook users, on 7 April 2021, the DPA called on Belgian citizens to check on the website https://benikerbij.be whether their data were part of the data leakage and if necessary to lodge a complaint with the DPA. Following this call, 1,113 complaints were lodged.
On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA. In September 2022, under [[Article 60 GDPR|Article 60]] GDPR, the DPC submitted a draft of decision to various DPA’s, including the Belgian who communicated comments. In particular, the Belgian DPA considered that data scraping should be considered a data breach and that Meta had a duty to inform its users of the data leakage.
On 25 November 2022, the DPC adopted its final decision. Its investigation revealed that in the Facebook search tool, the default settings allow all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis. Therefore, the DPC found a violation of Article 25(1), 25(2), 5(1)(b) and 5(1)(f) GDPR, ordered Meta to comply with the provisions and imposed a Є150,000,000 and a Є115,0000 fine respectively for the violations of Articles 25(1) and 25(2).
Holding
The complaints in Belgium were related to a possible violation of Articles 32 to 34 GDPR and the DPC decision focused on Article 25. The Belgian DPA considered that this focus on Article 25 did not cause any prejudice to the complainants.
In the context of the cooperation procedure of [[Article 60 GDPR|Article 60]], the DPA considered to be bound by the DPC’s decision, exclusively competent. Therefore, it rejected the complaints in Belgium.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.