Digital Rights Ireland to sue for damages for Facebook users over dark web data leak

© Provided by Irish Examiner

Digital Rights Ireland has said it intends to sue for damages for Facebook users across the EU whose data was leaked to the dark web.

It comes after DRI resolved its court case with the Data Protection Commission (DPC), in what it said is a victory for Facebook users whose data was leaked.

In November, the DPC fined Facebook-owner Meta €265m after a lengthy investigation prompted by reports that a “collated dataset” of user information for 533 million Facebook accounts had been made available on the web.

Some 100 million EU-based Facebook users were affected. The vast majority of the leaked records included phone numbers, names, genders, and Facebook IDs.

While a letter from the DPC in December confirmed that Facebook had violated several principles of the European flagship GDPR data privacy legislation, it did not accept that this was a data breach that must be notified to the individual victims, according to DRI.

Furthermore, DRI said scammers could still use this “treasure trove” of data to help defraud people.

In the letter to DRI in December, the DPC said there was no personal data breach within the definition of Article 4 (12) of the GDPR under which a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

DRI appealed this finding to the Circuit Court. 

As part of the settlement now reached with the DPC, it accepts that this December letter was not in fact a formal decision but an update for information purposes with no legal effect.

In a statement, DRI said the DPC had agreed to pay all of its legal costs concerning the case and its complaint will now be brought forward in accordance with a procedure agreed upon by both sides.

Dr TJ McIntyre, DRI chairman, said: “We are glad this letter, which summarily rejected our complaint, has effectively been withdrawn and that the victims we represent will now have the benefit of a fair procedure."

At the time of the DPC’s decision, meanwhile, Meta said it disagreed with a number of points and would appeal. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers."

Would you like a lunchtime summary of content highlights on the Irish Examiner website? Delivered straight to your inbox at 1pm each day.