Facebook Inc., Clubhouse and Microsoft Corp.’s LinkedIn have stressed that recently reported data leaks involved information from public user profiles, not from security breaches. In the European Union, where privacy laws require businesses to protect even publicly available personal data, that distinction may not relieve them of responsibility.
Facebook stressed that the leak of around 533 million users’ data wasn’t a hack, saying attackers scraped the information from profiles before September 2019, and that the company fixed a feature to prevent such scraping after discovering the incident.
LinkedIn and Clubhouse made similar comments this month. Disclosing that it had investigated a report that user data had been posted online for sale, LinkedIn said the incident involved publicly viewable profile data and “was not a LinkedIn data breach”. Clubhouse, meanwhile, responded on Twitter to a report that user data had been posted online, saying that there hadn’t been a breach and only public profile information had been posted.
The Irish data protection commissioner opened an investigation into Facebook’s data leak, citing potential infringements of one or more provisions in the European Union’s 2018 General Data Protection Regulator. The Italian privacy authority started a probe of the LinkedIn leak this month and warned that personal data scraped from users’ profiles could be used for online fraud or identity theft.
The fact that public data was available on public profiles doesn’t insulate the companies from European data-protection rules, said Daragh O Brien, managing director at Castlebridge, an Ireland-based data protection consulting firm. He said European regulators will focus on how the companies handled data.
“It’s not simply about whether it’s public or private. It’s about whether there are safeguards in place around [the data’s] processing and its use,” he said.
Asked about the Irish regulator’s inquiry, a Facebook spokesman said the company is in touch with the regulator and is working to have the data removed from the online forum where “malicious actors” posted it.
The data scraping occurred without bypassing Facebook’s privacy settings or security measures, he said. A LinkedIn spokeswoman referred to a statement issued by the company saying that such data scraping violates its terms of service. Clubhouse didn’t respond to a request for comment regarding recent media reports that data from around 1.3 million users was posted online.
In France, privacy authorities are evaluating whether the GDPR applies to the audio-only social media platform Clubhouse, even though it has no office in the EU, and said they would take further steps if they conclude that it does apply. The data protection regulator in Hamburg said it sent questions to Clubhouse in February asking for details about how it protects user data.
Under the GDPR, even if personal data is accessible on a social media profile, a company or person must get permission from individuals to scrape their data, said Peter Hense, a partner at law firm Spirit Legal in Leipzig, Germany.
“You need justification for any processing, be it publicly available information or other data sources,” Mr. Hense said.
The GDPR requires companies to implement security measures protecting personal data and create safeguards that prevent data exposure. European regulators have the power to fine companies that violate the rules up to 4% of global revenue or €20 million ($23.9 million), whichever is higher. They could also order companies to change how they collect and process data if they find their practices break the law.
In Facebook’s case, some privacy experts say it is unclear if users were aware that data such as their phone numbers could be searched and linked to their accounts. Inti De Ceukelaire, a Belgium-based cybersecurity researcher, said the company’s statements that the affected data was already public were confusing, because some users chose to make their phone numbers private when sharing them with Facebook.
Some of those phone numbers were still searchable through a Facebook contact importer feature, Mr. De Ceukelaire said. Facebook said in an April 6 blog post it updated the feature in 2019 to prevent people from using software that could upload large sets of phone numbers.
The message conveyed by Facebook and other social-media companies, said Isabelle Buschke, head of the Brussels office of the Federation of German Consumer Organisations, is that users of social networks shouldn’t expect data on their public profiles to be handled carefully. They will conclude that “the only privacy you have is if you keep [your data] to yourself,” she said.
Write to Catherine Stupp at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
