Half a billion Facebook accounts leaked – Facebook has knowingly withheld this information from authorities for years

Question for written answer  E-001873/2021
to the Commission
Rule 138
Virginie Joron (ID)

In early April 2021, news broke of a data breach involving 533 million Facebook accounts[1]. Personal information is at stake, including telephone numbers, locations and some email addresses[2]. This breach could affect 20 million Facebook users in France[3].

According to reports, on Tuesday 6 April Facebook told the Irish Data Protection Commission that it chose not to notify the relevant authorities[4] of the breach, arguing that the breach took place before the EU’s General Data Protection Regulation came into effect.

• 1.Can the Commission explain whether or not Facebook is allowed to ‘choose not to notify’ the relevant authorities of a personal data breach?
• 2.Can the Commission shed some light on the measures available to hold companies such as Facebook accountable for consciously deciding to keep information on a data breach to themselves?
• 3.Now that this news has emerged, will the Commission take legal action against Facebook?

• [1] https://www.lemonde.fr/pixels/article/2021/04/05/cinq-questions-sur-la-fuite-de-donnees-concernant-plus-de-533-millions-de-comptes-facebook_6075616_4408996.html
• [2] https://edition.cnn.com/2021/04/06/tech/facebook-data-leaked-what-to-do/index.html
• [3] https://www.liberation.fr/economie/economie-numerique/facebook-les-donnees-de-533-millions-dutilisateurs-en-fuite-sur-le-web-20210406_FNRIQR4PXBF5BK6ALSEREIOPOY/
• [4] https://www.euractiv.com/section/data-protection/news/facebook-to-irish-data-body-533-million-user-breach-took-place-before-gdpr/