Facebook fined for failing to prevent Data Scraping techniques
On November 25, 2022, the Data Protection Commission (hereinafter, “DPCI”), Ireland’s privacy and data protection supervisory authority, issued a statement announcing that, following the conclusion of a sanctioning procedure initiated in April 2021, Facebook would be fined with 265 million Euros and the adoption of a series of corrective measures for failing to prevent the “data scraping” of its users.
What is data scraping?
Data scraping is a technique that allows the user to obtain data from the reading of a website through the use of an automated software, after which this information can be distributed in online forums or used for their own purposes.
The basic objective of extracting or obtaining such data is to study behavioral patterns and recurring trends in order to predict the needs or preferences of the users who own the extracted data.
In other words, obtaining this type of data or information allows companies to boost their commercial decisions and offer users certain products or services based on their specific preferences.
Investigation carried out by the Irish Data Protection Commission
During the investigation carried out on the american giant by the DPCI, it was found that the data of more than 530 million Facebook users were exposed on the internet, data such as the email addresses of those affected or their cell phone numbers, due to a flaw in the security systems of Facebook itself.
In this regard, and during the period between May 25, 2018 and September 2019, the DPCI carried out an exhaustive assessment on the tools: “Facebook Search”, “Facebook Messenger Contact Importer” and “Instagram Contact Importer”, in relation to the data processing carried out by Meta Platforms Ireland Limited, concluding such assessment that the company had infringed Article 25 of the General Data Protection Regulation (GDPR) due to the lack of implementation of adequate technical and organizational measures to prevent the aforementioned “data scraping”.
Taking into account the above, the DPCI determined that, due to the large volume of data affected, the fact that there were already precedents of scraping in the company and that Facebook could have identified well in advance that this technique was being used on the data of its users, it was appropriate to impose a significant fine for exposing those affected to a considerable risk, the consequence of which was the loss of control over their data being exposed to scams, spam and phishing.
Precisely for this reason, and in the interest of avoiding the use of scraping techniques such as the one mentioned and possible sanctions, several blockchain companies have chosen to develop blockchain social networking applications that do not require users to provide certain data such as, for example, their email addresses or phone numbers. In fact, the developers of Ethereum (technology that hosts digital money, global payments and applications) have created an authentication system called “EIP-4361” that is still in the testing phase but whose goal will be to standardize the wallet login process across all applications, eliminating the need to ask its users for personal information and preventing breaches such as the one that occurred at Facebook.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
