Today’s case regarding a woman who is taking Facebook to court over the hacking of her account is likely to stoke the fires of debate over the obligations of social media companies when it comes to data protection.
So what is data protection?
Essentially, data protection regulations are in place to protect you, and any information pertaining to you, that’s held by organisations.
The regulations were given a major overhaul in 2018 with the introduction of the General Data Protection Regulation (GDPR). Some countries already had data protection legislation in place but the GDPR increased fines and sanctions, placing stronger obligations in place. A fine under the GDPR could amount to as much as 4% of the company’s annual turnover, and when it comes to Facebook, that could run into the multi-millions, if not billions of euro.
With its presence on the internet through multiple forums, Facebook holds more information than most and it’s obliged to respect that information and ensure that it can’t be accessed by anyone else.
Signing up for a Facebook account automatically requires you to give your consent for your data to be used, but giving this consent triggers the obligations of Facebook. So those little boxes that you tick when you’re setting up your account have a very meaningful effect in law and Facebook then becomes responsible for ensuring the security of your information.
Maintaining adequate security measures must also deal with the potential breach of those measures, and what must happen in the event that your information is accessed by any other party.
The GDPR operates under a simple motto – that data protection must be “by default and design”.
“By default” means that data protection and privacy methods must be inserted into the design of the project in question. This is so as to ensure that it becomes part of the “make-up” of the project at the earliest point possible.
“By design” means that the user settings must be automatically geared towards data protection. So a company can’t just take information without your consent – this is why you need to “opt-in” to most websites that feature cookies or other programs that might collect your data.
If there is a breach of your data, the GDPR sets out a very comprehensive procedure for dealing with the situation. The company in question must examine the information that has been accessed, and determine whether it is likely to damage the individual whose data has been accessed. If they decide that the breach presents a risk of serious damage, then they must notify the Data Protection Commission and also the individual who is now at risk as a result of the breach.
Before the GDPR came into effect, Facebook announced that it was rolling out a new global privacy system that would prepare the company for the new requirements.
Things haven’t always been plain-sailing though, and given Facebook’s size, the size of the breaches are immense. One investigation in 2018 was thought to have affected the personal data of over 50 million users.
In today’s case, the Facebook user claims that her account was hacked and that she was locked out of it while the hacker in control continued to send messages in her name. She entered into the usual process that’s in place to retrieve her account and solve the problem, but says that this hasn’t been successful.
The case is due in court again in early February and it’s one to watch to see how whether it will cause social media companies to review their data protection provisions and, if so, what that will mean for the ultimate user.
Do you have queries about your own company’s obligations under GDPR?
Contact us today on firstname.lastname@example.org