Thousands urged to sue Facebook in mass action over leaked data
Digital Rights Ireland to take case against tech giant on behalf of social media site’s users
Some 1.5 million Irish people are among those whose personal data – including names, Facebook IDs, and phone numbers – were compromised. Photograph: Chris Delmas/AFP via Getty
Facebook users whose personal data was compromised in a recent leak have been urged to join a legal case against the tech giant that will be the largest-ever mass action of its kind.
Some 1.5 million Irish people are among those whose personal data – including names, Facebook IDs, and phone numbers – were compromised. In some cases other information, including employers’ and spouses’ names, email addresses, dates of birth and dates of account creation, was also leaked.
The civil rights group has made a complaint to the Data Protection Commission and is now preparing to take a case to the Irish courts on behalf of individuals affected by the breach.
Those impacted by the data leak who sign up to take part in the legal action could be in line for monetary damages of between €300 and €12,000 for breach of one person’s rights, DRI said.
“Forcing companies like Facebook to pay money to users whose privacy rights they’ve violated is the most effective way to really change the behaviour of these big tech companies,” said chairman Dr TJ McIntyre.
“The prospect of class and mass actions is going to be a major impetus for the largest and most profitable of tech companies to become legally compliant and stop treating user data like a commodity,” he added.
The data leak was first uncovered two years ago. However, until this month the files were difficult to find and access was usually obtainable for a fee. The information can now be found easily online for free.
According to DRI, Facebook not only failed to implement privacy by design and by default to protect user data, but the company also failed to notify those affected by the leak or the Data Protection Commission. Each of these is a duty under the GDPR laws, which came into effect in May 2018.
Irish law does not provide for class actions in the way the US law does. The “mass action” proposed by DRI is a more general, less legally specific term in which large numbers of people are represented in a single complaint, with the same or very similar facts and laws applying to all of their situations.
“The scale of this breach, and the depth of personal information compromised, is gobsmacking. Those impacted deserve action and Facebook’s handling of this breach has been entirely inadequate. This will be the first mass action of its kind but we’re sure it won’t be the last,” said Antoin O Lachtnain, director of DRI.
The Data Protection Commission this week began its own inquiry into how the personal data of Facebook users was leaked. It said the investigation will assess whether any parts of the GDPR or Data Protection Act 2018 have been or are being infringed by Facebook.
Individuals who wish to check if their details have been compromised and/or to sign up for the mass action can do so at facebookbreach.eu.