Data Protection Commissioner to investigate Facebook over password storage

Facebook reported glitch that exposed millions of user passwords to 20,000 employees

The Data Protection Commission (DPC) has opened an inquiry into whether Facebook has breached European Union data protection laws over how it stored users' passwords.

In March the social media giant announced it had fixed a glitch which meant passwords for hundreds of millions of users were stored in a readable format on its internal servers.

In a statement issued on Thursday, the DPC said it was notified by Facebook of the flaw, which affected users of Facebook, Facebook Lite and Instagram.

“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR,” the regulator said.


Under strict new EU data protection rules, known as General Data Protection Regulation (GDPR), firms can face huge fines over data breaches or failings.

If Facebook is found in breach of GDPR over the storage of passwords, it could be hit with fines totalling billions of euro, calculated at 2-4 per cent of its global turnover.

The news comes as Helen Dixon, head of the DPC, is set to appear before the United States Senate in Washington next week, to answer questions on data protection and privacy.


Ms Dixon will appear before the committee on commerce, science and transportation on May 1st, alongside witnesses from the Future of Privacy Forum, the American Civil Liberties Union and non-profit online research body Common Sense Media.

The DPC has eight active statutory investigations into Facebook, and a further three into Instagram and WhatsApp, which are both owned by Facebook.

As Facebook’s European headquarters are located in Ireland, along with several other large social media companies, responsibility for regulating the firms falls under the DPC’s remit.

Since last May, the DPC is responsible for enforcing the EU’s GDPR rules and Ms Dixon has launched several investigations into companies following complaints and data breaches.


However, her office has been criticised for not being strict enough on tech companies.

This week, Brussels-based Politico Europe published an in-depth piece criticising the DPC’s office.

However, Michael Veale, a digital rights expert working at the London-based Alan Turing Institute, said criticism over the DPC’s regulation of large social media firms was “a bit premature”.

Since the new data protection laws came into effect last year, the Irish regulator has been working through several large inquiries, which have yet to come to fruition.

“The DPC is being very cautious over process and procedure,” Mr Veale said. He said “you don’t want to fall down on a technicality” and risk a subsequent legal challenge. The regulator was also sitting across the table from multinational companies with “significantly more legal resources”, he said.

“The last thing that they want is to be trigger happy, and then be later defeated in court,” Mr Veale said. In a statement, a Facebook spokesman said the firm was working with the DPC.

“At no point were these passwords visible to anyone outside of Facebook and there is no evidence that these internally stored passwords were abused or improperly accessed,” he said.

Jack Power

Jack Power

Jack Power is acting Europe Correspondent of The Irish Times