In April 2021, the general press reported a data leak of millions of users of the Facebook social network, including in particular telephone number, Facebook ID, name, address, email, or location information (see not. A.Holmes, 533 million Facebook users’ phone numbers and personal data have been leaked online, Business Insider, Apr. 3, 2021). This revelation leads to the self-referral of the Irish national data protection authority, the Data Protection Commission (DPC), considered as the lead supervisory authority. Indeed and in accordance with Article 56, § 1, of the General Data Protection Regulation (EU) 2016/679 of April 27, 2016 (RGPD), the DPC is competent for cross-border processing carried out by the company Meta, in to the extent that its principal place of business is in Ireland.
It appears from the DPC’s investigation that the massive extraction of personal data in question came from the use of the contact search function (Facebook Search). This function offered users the possibility of finding the profile of their loved ones by entering their telephone number or email address, it being specified that all profiles authorized by default the possibility of finding them using this function. Using fake accounts and bots using a list of phone numbers, it was thus possible to automatically extract many profiles to associate profile information and phone details. In order to minimize this risk, Meta already limited the use of its service to a maximum speed. During a Functional Integrity Assessment Facebook Search, Meta has observed abnormally high usage of its service. It turned out that to circumvent fraud detection programs, the malicious bots intentionally limit the siphoning of data (web scraping) below the threshold of the maximum authorized flow. In response, Meta removed the feature.
It appeared that disabling this service led to an abnormal increase in the use of another function: that of account recovery (Contact Importer), which allowed an account to be recovered using the telephone number or email address, and which was also subject to a rate limiting measure. This function was then limited by Meta to cases where the user did not have a device associated with the account. A team dedicated to the detection of web scraping was then incorporated. Eventually, Meta also decided to remove the function Contact Importer between August and September 2019, limiting the time frame of the DPC’s investigation between May 25, 2018 – date of entry into force of the GDPR – and September 2019.
Au…