As of today, the SOMI Foundation makes it possible for all European consumers to check via its SOMI app whether they have become a victim of the Facebook data leak from April this year. It can also reveal which of their personal data is circulating on the Dark Web. In total, personal data of more than 533 million Facebook accounts were leaked in April 2021, including 96.7 million European accounts. After verifying their own data, consumers can participate in the foundation’s legal investigation and possible collective claim against Facebook, which requires collection of evidence of GDPR violation from the data breach. The foundation is offering a total of €10,000 to anyone who can prove with their personal data that Facebook has violated the GDPR.
The recent Facebook leak in April 2021 contains personal data from 533 million accounts around the world, including 96.7 million accounts from Europe and 5.4 million from the Netherlands. The stolen personal data is now circulating on the Dark Web. Majority of the leaked accounts contain a telephone number, but the e-mail address of more than 2.5 million accounts were also leaked.
Although Facebook has acknowledged the leak, the US tech giant has chosen not to personally notify the victims. The company provided a reason that, at the time, it was an old leak: “This is old data that was reported back in 2019. We found and solved the underlying problem in August 2019,” said the spokesperson on Twitter about the leak back in April.
According to SOMI, Facebook may have violated the General Data Protection Regulation (GDPR) by failing to inform its users about the leak in a timely and adequate manner. Although most of the data were collected through scraping, a technique that extract data from public profiles, this does not seem to apply to all the leaked data. The foundation is now launching an investigation into this matter. In pursuant to the GDPR, Facebook was obliged to report any leaks within 72 hours to the Irish Data Protection Commission (DPC), the regulator of the country where Facebook has its European headquarters. In any case, according to SOMI, Facebook should have taken more action to prevent scraping.
According to SOMI, it is doubtful that the leak concerns ‘old data’. “Phone numbers are regularly used in two-factor authentication and other identification processes. It is often a piece of information that remains the same for many people for many years, sometimes even ten years,” says Cor Wijtvliet from SOMI. “But Facebook is probably referring to the period in which the GDPR has entered into force in May 2018 with its claim.”
Only if all leaked data were scraped before May 2018, there may be no GDPR violation. However, various analyses show that it is very likely that data from after May 2018 has also become exposed in this data breach. SOMI now wants more certainty about this issue with a further legal investigation.
With the collective research – also known as crowdsourcing – SOMI calls on participants to join in the foundation’s legal preparatory research. “The victims of the leak can confirm and prove whether the stolen data have been published on the platform before or after May 2018, the period in which the GDPR came into effect,” says Wijtvliet. “In addition to reminding victims to be extra vigilant about phishing activities with the stolen data, we are offering a ten times reward of €1,000 each to anyone who can demonstrate with certainty that his or her personal data contained in the data breach originates after the date in which the GDPR entered into force”.
Consumers can check whether their telephone number is on the leak via the SOMI app. If that is the case, then – after identity verification – it is also possible to see which personal data is involved. After which, it is up to the participant to demonstrate when this information first became known to Facebook and subsequently exposed in this leak.
The Foundation for Market Information Research (SOMI) is a non-profit organization set up to identify and influence issues of social importance. SOMI is a recognized claims foundation in the field of privacy and data autonomy and is committed, among other things, to the protection of the fundamental rights of consumers and minors who use various online services. With the app that SOMI has developed, we want to restore ownership and control over personal data to all the people: All your data. all yours. SOMI investigates abuses, informs the public and helps injured parties. SOMI does this by conducting collective proceedings and claiming compensation. SOMI is currently investigating possible GDPR violations by Facebook, TikTok and Zoom and the European governments reliance on American software from Palantir.