Last week, it was revealed that a Facebook bug gave 876 different app developers access to the private photos of up to 6.8 million users for almost two weeks before the company found and fixed the problem. That's not a great look for a social media company guilty of security lapses in the past, but some bad P.R. isn't Facebook's only problem.
It turns out Facebook waited three months to tell authorities about the data breach, apparently violating the General Data Protection Regulation, which requires 72-hour notification in the event of a breach. So, what is the GDPR and can you get in trouble for not complying with it?
The GDPR is a European Union regulation on data protection and privacy. Under the GDPR. companies that collect and manage personal data must put in place appropriate technical and organizational measures to implement data protection principles. Companies must clearly disclose any user data collection, the basis and purpose for data processing, how long data is being retained, and if it is being shared with any third parties. Businesses are also responsible for making sure personal data is not available publicly without explicit, informed consent from users, who have the right to revoke this consent at any time.
Perhaps most relevantly, the GDPR requires businesses to report any data breaches within 72 hours if they have an adverse effect on user privacy. Violations can cost companies up to €20 million in fines or up to 4 percent of the company's profits from the preceding fiscal year, whichever is greater.
And if you're thinking, "This is an EU regulation and I'm an American business," you may want to think again. The GDPR applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU. So, if you have any customers or clients in EU member countries, you need to be GDPR-compliant.
So what was Facebook's response to the delay in reporting the latest data breach? A company spokesperson told Forbes: "We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 hr timeframe." In essence, Facebook is reading the 72-hour notification requirement to start the reporting clock not from the breach itself, or even the company's awareness, but from the time the company determines that it must report the breach.
Will that argument work with regulators? We're not sure yet. But we are sure that gambling with privacy laws that could cost you dearly in fines and penalties is not a safe bet. Contact a local commercial attorney for help complying with local, state, federal, AND international privacy laws.