Facebook is to be sued in Europe over the major leak of user data that dates back to 2019 but which only came to light recently after information on more than 533 million accounts was found posted for free download on a hacker forum.
Today Digital Rights Ireland (DRI) announced it’s commencing a “mass action” to sue Facebook, citing the right to monetary compensation for breaches of personal data that’s set out in the European Union’s General Data Protection Regulation (GDPR).
Article 82 of the GDPR provides for a “right to compensation and liability” for those affected by violations of the law. Since the regulation came into force, in May 2018, related civil litigation has been on the rise in the region.
The Ireland-based digital rights group is urging Facebook users who live in the European Union or European Economic Area to check whether their data was breached — via the haveibeenpwned website (which lets you check by email address or mobile number) — and sign up to join the case if so.
Information leaked via the breach includes Facebook IDs, location, mobile phone numbers, email address, relationship status and employer.
Facebook has been contacted for comment on the litigation. Update: A Facebook spokesperson said:
We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it. As LinkedIn and Clubhouse have shown, no company can completely eliminate scraping or prevent data sets like these from appearing. That’s why we devote substantial resources to combat it and will continue to build out our capabilities to help stay ahead of this challenge.
The tech giant’s European headquarters is located in Ireland — and earlier this week the national data watchdog opened an investigation, under EU and Irish data protection laws.
A mechanism in the GDPR for simplifying investigation of cross-border cases means Ireland’s Data Protection Commission (DPC) is Facebook’s lead data regulator in the EU. However it has been criticized over its handling of and approach to GDPR complaints and investigations — including the length of time it’s taking to issue decisions on major cross-border cases. And this is particularly true for Facebook.
With the three-year anniversary of the GDPR fast approaching, the DPC has multiple open investigations into various aspects of Facebook’s business but has yet to issue a single decision against the company.
(The closest it’s come is a preliminary suspension order issued last year, in relation to Facebook’s EU to U.S. data transfers. However, that complaint long predates GDPR; and Facebook immediately filed to block the order via the courts. A resolution is expected later this year after the litigant filed his own judicial review of the DPC’s processes.)
Since May 2018 the EU’s data protection regime has — at least on paper — baked in fines of up to 4% of a company’s global annual turnover for the most serious violations.
Again, though, the sole GDPR fine issued to date by the DPC against a tech giant (Twitter) is very far off that theoretical maximum. Last December the regulator announced a €450,000 (~$ 547,000) sanction against Twitter — which works out to around just 0.1% of the company’s full-year revenue.
That penalty was also for a data breach — but one which, unlike the Facebook leak, had been publicly disclosed when Twitter found it in 2019. So Facebook’s failure to disclose the vulnerability it discovered and claims it fixed by September 2019, which led to the leak of 533 million accounts now, suggests it should face a higher sanction from the DPC than Twitter received.
However, even if Facebook ends up with a more substantial GDPR penalty for this breach the watchdog’s caseload backlog and plodding procedural pace makes it hard to envisage a swift resolution to an investigation that’s only a few days old.
Judging by past performance it’ll be years before the DPC decides on this 2019 Facebook leak — which likely explains why the DRI sees value in instigating class action-style litigation in parallel to the regulatory investigation.
“Compensation is not the only thing that makes this mass action worth joining. It is important to send a message to large data controllers that they must comply with the law and that there is a cost to them if they do not,” DRI writes on its website.
It also submitted a complaint about the Facebook breach to the DPC earlier this month, writing then that it was “also consulting with its legal advisors on other options including a mass action for damages in the Irish Courts”.
It’s clear that the GDPR enforcement gap is creating a growing opportunity for litigation funders to step in in Europe and take a punt on suing for data-related compensation damages — with a number of other mass actions announced last year.
In the case of DRI its focus is evidently on seeking to ensure that digital rights are upheld. But it told RTE that it believes compensation claims which force tech giants to pay money to users whose privacy rights have been violated is the best way to make them legally compliant.
Facebook, meanwhile, has sought to play down the breach it failed to disclose in 2019 — claiming it’s “old data” — a deflection that ignores the fact that people’s dates of birth don’t change (nor do most people routinely change their mobile number or email address).
Plenty of the “old” data exposed in this latest massive Facebook leak will be very handy for spammers and fraudsters to target Facebook users — and also now for litigators to target Facebook for data-related damages.
Apple has agreed to pay $ 113 million to 34 states and the District of Columbia to settle allegations that it broke consumer protection laws when it systematically downplayed widespread iPhone battery problems in 2016. This is in addition to the half billion the company already paid to consumers over the issue earlier this year and numerous other fines around the world.
The issue, as we’ve reported over the years, was that a new version of iOS was causing older (but not that old) iPhones to shut down unexpectedly, and that an update “fixing” this issue surreptitiously throttled the performance of those devices.
Conspiracy-minded people, which we now know are quite numerous, suspected this was a deliberate degradation of performance in order to spur the purchase of a new phone. This was not the case, but Arizona Attorney General Mark Brnovich, who led the multistate investigation, showed that Apple was quite aware of the scale of the issue and the shortcomings of its solution.
Brnovich and his fellow AGs alleged that Apple violated various consumer protection laws, such as Arizona’s Consumer Fraud Act, by “misrepresenting and concealing information” regarding the iPhone battery problems and the irreversible negative consequences of the update it issued to fix them.
Apple agreed to a $ 113 million settlement that admits no wrongdoing, to be split among the states however they choose. This is not a fine, like the €25 million one from French authorities; if Apple had been liable for statutory penalties those might have reached much, much higher than the amount agreed to today. Arizona’s CFA provides for up to $ 10,000 per willful violation, and even a fraction of that would have added up very quickly given the amount of people affected.
In addition to the cash settlement, Apple must “provide truthful information to consumers about iPhone battery health, performance and power management” in various ways. The company already made changes to this effect years ago, but in settlements like this such requirements are included so they can’t just turn around and do it again, though some companies, like Facebook, do it anyway.
Three years after closing a $ 9.3 billion deal to acquire NetSuite, several Oracle board members have written an extraordinary letter to the Delaware Court, approving a shareholder lawsuit against company executives Larry Ellison and Safra Catz over the 2016 deal. Reuters broke this story.
According to Reuters’ Alison Frankel, three board members, including former U.S. Defense Secretary Leon Panetta, sent a letter on August 15th to Sam Glasscock III, vice chancellor for the Court of the Chancery in Georgetown, Delaware, approving the suit as members of a special board of directors entity known as the Special Litigation Committee.
The lawsuit is what is called in legal parlance a derivative suit. According to the site Justia, this type of suit is filed in cases like this. “Since shareholders are generally allowed to file a lawsuit in the event that a corporation has refused to file one on its own behalf, many derivative suits are brought against a particular officer or director of the corporation for breach of contract or breach of fiduciary duty,” the Justia site explained.
The letter went on to say there was an attempt to settle this suit, which was originally launched in 2017, through negotiation outside of court, but when that attempt failed, the directors wrote this letter to the court stating that the suit should be allowed to proceed.
As Frankel wrote in her article, the lawsuit, which was originally filed by the Firemen’s Retirement System of St. Louis, could be worth billions:
One of the lead lawyers for the Firemen’s fund, Joel Friedlander of Friedlander & Gorris, said at a hearing in June that shareholders believe the breach-of-duty claims against Oracle and NetSuite executives are worth billions of dollars. So in last week’s letter, Oracle’s board effectively unleashed plaintiffs’ lawyers to seek ten-figure damages against its own members.
It’s worth pointing out, as we reported at the time of the NetSuite acquisition, that Larry Ellison was involved in setting up NetSuite in the late 1990s and was a major shareholder at the time of the deal.
Oracle was struggling to find its cloud footing in 2016, and it was believed that by buying an established SaaS player like NetSuite, it could begin to build out its cloud business much faster than trying to develop something like it internally. A June Synergy Research SaaS marketshare report, while admitting the market was fragmented, still showed Oracle was far behind the pack in spite of that deal three years ago.
We reached out to Oracle regarding this story, but it declined to comment.
Oracle has been complaining about the procurement process around the Pentagon’s $ 10 billion, decade-long JEDI cloud contract, even before the DoD opened requests for proposals last year. It went so far as to file a lawsuit in December, claiming a potential conflict of interest on the part of a procurement team member. Today, that case was dismissed in federal court.
In dismissing the case, Federal Claims Court Senior Judge Eric Bruggink ruled that the company had failed to prove a conflict in the procurement process, something the DOD’s own internal audits found in two separate investigations. Judge Bruggink ultimately agreed with the DoD’s findings:
We conclude as well that the contracting officer’s findings that an organizational conflict of interest does not exist and that individual conflicts of interest did not impact the procurement, were not arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law. Plaintiff’s motion for judgment on the administrative record is therefore denied.
The company previously had filed a failed protest with the Government Accountability Office (GAO), which also ruled that the procurement process was fair and didn’t favor any particular vendor. Oracle had claimed that the process was designed to favor cloud market leader AWS.
It’s worth noting that the employee in question was a former AWS employee. AWS joined the lawsuit as part of the legal process, stating at the time in the legal motion, “Oracle’s Complaint specifically alleges conflicts of interest involving AWS. Thus, AWS has direct and substantial economic interests at stake in this case, and its disposition clearly could impair those interests.”
Today’s ruling opens the door for the announcement of a winner of the $ 10 billion contract, as early as next month. The DoD previously announced that it had chosen Microsoft and Amazon as the two finalists for the winner-take-all bid.
A California judge has dismissed Apartment Investment & Management Company’s lawsuit against Airbnb. Last February, Aimco, which owns or manages about 50,000 properties, sued Airbnb, saying that the company is deliberately incentivizing people to breach their leases. Read More
Startups – TechCrunch
An Illinois law is proving a thorn in Facebook’s side as a class action lawsuit, alleging mishandling of biometric information, moves toward trial. The latest developments in the case have the social network objecting against releasing or even admitting the existence of all manner of data, but the plaintiffs aren’t taking “objection” for an answer. Read More
Social – TechCrunch
- Once VMware is free from Dell, who might fancy buying it?
- Facebook faces ‘mass action’ lawsuit in Europe over 2019 breach
- Chinese hardware makers turn to crowdfunding as they look to go global
- Core Web Vitals & Preparing for Google’s Page Experience Update
- Conversion modeling through Consent Mode in Google Ads