It is a well-known fact that our personal accounts become data stores that contain a lot of information about us due to the increasing use of social media. Given the importance of personal data and malicious purposes, we can say that security is one of the most important things for us on social platforms where we share a lot of data.
In the previous days, Facebook Engineering Director Tomer BAR released to the public that a software bug was discovered by Facebook that could not be prevented with the title ‘Notifying our Developer Ecosystem about a Photo API Bug’ on his personal blog. The relevant announcement is available at https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/’.
In this announcement, it was briefly stated that some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018 and even reach their draft photos not shared yet.
After this announcement, the Personal Data Protection Board launched an ex-officio investigation and published the result of this investigation on May 10, 2019.
As a result of the investigation, the Board established that the privacy of personal data has been violated and there is deficiency of technical and administrative measures to prevent this infringement, as a result of which, has resolved an administrative fine amounting to TL 1.650.000.00 on Facebook. The basis of this decision can be listed as follows;
- Facebook has discovered a photo API bug that allows third-party applications to access users’ photos, and Facebook reports this as a potential software malfunction after review.
- API bug continued for 12 days between September 13 – September 25, 2018, and the failure of Facebook to intervene in the API bug on time is indicative of deficiencies in technical and administrative measures.
- When a third party application is allowed to access photos by Facebook user through the Facebook platform, it should only provide access to photos that it shares in the timeline. However, third party applications have access to other photos shared in the Marketplace, Facebook Stories or draft photos by reason of the API bug. Providing access to more photographs of users than allowed is a violation of the Personal Data Protection Law.
- Facebook has not been able to clearly identify which photos the 3rd party applications access. Therefore, it can be considered that Facebook is experiencing difficulties in controlling the flow of data on its own platform. This situation contradicts with the data security obligations in paragraph (1) of Article 12 of the Law.
- Facebook platform applications in the first stage get users’ permission in the way that “Your friends, connections and other people you play with will be able to see your game movements. The game has access to your public profile and to the people you know who are playing this game.’’ This processing of personal data is based on explicit consent. Since explicit consent must be explained by free will, the explicit consent of the person concerned should not be asserted as a pre-requisite for the provision or utilization of a product or service. This constitutes a violation of the principle of compliance with the law and the rules of honesty in paragraph (2) of Article 4 of the Law.
- The violation may have affected 6.8 million users and 1,500 applications created by 876 developers.
- About 300.000 users could be affected by the data breach in Turkey.
- The Facebook data breach, which is publicly known and named as Photo API was announced by Facebook Engineering Director Tomer Bar on 14.12.2018, which means that Facebook accepts this breach.
One thing that draws attention to the decision is that despite the fact that there is no connection with the software bug, the Board has determined that the explicit consent received by Facebook is contrary to the rules of law and honesty. According to the decision of the Board, explicit consent is a matter that should be taken with free will. However, the explicit consent is taken as a pre-requisite for the provision or utilization of the service by Facebook. This situation is against the definition of explicit consent which is explained in the law.
The Board unanimously decided an administrative fine of TL 1,100,000 on the ground that the situation was a data breach and Facebook did not take the necessary technical and administrative measures under paragraph (1) of Article 12 of the Personal Data Protection Law to prevent the breach.
In addition, the Board determined that Facebook identified data breach on 19.09.2018 but did not notify the Board and started to notify the related persons on 17.12.2018. For this reason, the Board has determined that there has been a violation of the provision that notification should be made as soon as possible in paragraph (5) of Article 12 of the Law and resolved an administrative fine of 550.000 TL.
Given that software bug affected approximately 6.8 million users and 1,500 applications, it can be said that the administrative fine is proportional to the violation.
In light of this data breach, it should be kept in mind while sharing personal data that there may be such major software bugs as in Facebook or in other similar platforms. In particular, companies should ensure that they fulfil their obligations under the Personal Data Protection Law.
Sinem İlikli, Legal Intern