Decision Publication Date: May 10, 2019
Unofficial Translation of the Summary of the Decision w. no 2019/104 dated 11.04.2019 on the Evaluation of the Facebook Data Breach
Date of Decision: 11/04/2019
Decision No: 2019/104
Summary: Evaluation of Facebook Data Breach
Facebook data breach, otherwise known as "Photo API Bug" was announced to the public by Facebook's Engineering Director Tomer Bar on 14.12.2018 on https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/ with the heading "Notifying our Developer Ecosystem about a Photo API Bug"
In the announcement, it was stated that;
· a photo API error that allows third-party applications to access Facebook user photos was discovered,
· the error was corrected however some third-party applications may have had access to photos without authorization for 12 days from September 13 to September 25, 2018,
· when a third-party application is allowed to access photos by Facebook users on Facebook platform, it should only access the photos shared on the timeline, however in this instance due to the error, third-party applications have had access to other photos shared on the Marketplace or Facebook Stories as well,
· Further, this error affected photos which are uploaded as a draft on Facebook and have not yet shared,
· The announced error may have affected 6.8 million users and 1,500 applications created by 876 developers,
· The announced error affected applications that had permission to access Facebook's photo API and had access to photos of individuals, and
· tools to enable Facebook application developers to identify people who use their applications and who are affected by this error will be developed.
The above-mentioned situation is a violation of data privacy and therefore is a data breach. Further, Facebook is required to notify the breach to Board pursuant to Article 12 (5) of the Law on Protection of Personal Data w. no 6698 ("Law") which stipulates "Data controller must notify affected data subjects and Board, if processed personal data is obtained by unauthorized parties by illegal means." however no notification was sent.
Thereafter, the Board decided to carry out an ex officio examination under the provision of Article 15 (1) of the Law which reads "The Board, upon complaint or upon finding about the allegation of breach, shall conduct the necessary examination on matters falling within its scope"
As a result of the examination it is found out that;
A photo API error that allows third-party applications to access Facebook user photos is discovered and after review, this was reported as a potential software error,
API Error occurred between September 13 - September 25, 2018 for 12 days,
The fact that Facebook did respond to the API error timely is an indicator of lack of technical and administrative measures,
When a third-party application is granted access to photos by a Facebook user, such access grant should be limited to photos on the timeline however due to the error, third-party applications have had access to other photos shared on the Marketplace or Facebook Stories as well,
Further, third-party applications have had access to photos that Facebook users have uploaded to Facebook as draft and have not yet shared, and there was access to photos beyond what was granted by Facebook users. This is a breach of Article 12 (1) of the Law and is in breach of the following principles; “Compliance with the rules of law and honesty" which is referred to in Article 4 (2 - a) of the Law and "Proportionate, limited and related with the purposes of processing" which is referred to in Article 4 (2-ç),
Considering that Facebook could not determine whether these third-party applications can actually access specific photos (more than the number normally allowed) shows that Facebook has difficulties in controlling the data flow on its own platform and that this is against Article 12 (1) of the Law,
Further, Facebook platform application obtain consent using the wording "Your friends, links and other people you play together can see your game moves. The game has access to your public profile and the people you know who play this game." even though users do not want the allow applications to access their friends' information and other information. Facebook relies on explicit consent but does not allow users to select what personal data to share in the application and allow users to select privacy settings. Since explicit consent must be based on free will, explicit consent must not be a precondition for providing a service or product.
Therefore, this practice is contrary to the principle of "Compliance with the rules of law and honesty" which is stipulated in Article 4 (2-a) of the Law,
The announced breach may have affected 6.8 million users and 1,500 applications created by 876 developers,
The breach may have affected 300.000 users in Turkey,
The fact that the Facebook data breach, otherwise known as "Photo API Bug" was announced to the public by Facebook's Engineering Director Tomer Bar on 14.12.2018 on https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/ with the heading "Notifying our Developer Ecosystem about a Photo API Bug" shows that a breach exists and Facebooks admits the existence of such breach.
Therefore, it is decided to fine Facebook
1) unanimously with TRY 1.100.000 (€ 158.000) pursuant to Article 18 (1 - b) of the Law based on the reasons above considering there was a data breach and Facebook did not take the necessary measures stipulated in Article 12 (1) of the Law to prevent the breach and
2) unanimously with TRY 550.000 (€ 79.000) pursuant to Article 18 (1 - b) of the Law considering controller became aware of the breach on 19.09.2018 however the Board was not notified and the breach which occurred between 13.09.2018 - 25.09.2018 was informed to data subjects starting from 17.12.2018, which is against the requirement to notify the breach as early as possible pursuant to Article 12 (5) of the Law.