There is a bit of irony about Facebook’s poor record of protecting the data of its users. Facebook is not founder Mark Zuckerberg’s first social networking experiment. In 2003, while he was studying psychology and computer science at Harvard University, he developed FaceMash, which paired pictures of students and let visitors to the website rate their attractiveness. FaceMash was shut down over charges of breach of security and violating individual privacy by taking photos of students from the school’s intranet without permission. The charges were dropped, and Zuckerberg was let off. A lot has changed between 2004, when Facebook was incorporated, and now. Facebook is not FaceMash, which, in CEO and chairman Zuckerberg’s own words, was a “prank website”. Facebook is now a listed company with a market cap of more than $400 billion. With about 1.49 billion people using it every day, Facebook has the world’s greatest receptacle of personal data with a proper social graph—a map of social connections of each user. In this day and age, data is power. If it fails to protect that, it has to face the music.
So far, it’s been a tough year for Facebook. First it was the furore set off by the Cambridge Analytica scandal which involved the data analytics firm harvesting personal information of more than 80 million Facebook users. Towards the end of September, Facebook announced that another data breach had occurred in which hackers stole data of 50 million people. This figure was later revised to 30 million. A few days later the Irish Data Protection Council announced a probe, which will determine whether the company complied with the General Data Protection Regulation (GDPR) enforced in the European Union in May. It will also see whether news of the breach was notified within 72 hours of the incident. Facebook could face 4% of its annual global turnover—more than $1.6 billion. The latest rap on its knuckles for its failure to protect data came from the information commissioner’s office in the U.K. It upheld a decision to fine Facebook £500,000 over the Cambridge Analytica scandal.
What about the impact of the September data breach on India, Facebook’s biggest market with more than 270 million users? As of now, in the absence of a comprehensive data privacy law, the government does not have adequate legal backing to clamp down on the social media giant. However, Facebook could find itself in the line of fire as the government readies to tackle data breaches more effectively armed with a new law, which will come into effect soon. “The Indian context is not as clear as GDPR,” says Zain Pandit, principal associate at law firm J. Sagar Associates.
The regulations in India specify that if there is a breach, the data controller, or the intermediary, needs to notify the CERT (computer emergency response team) in a ‘reasonable’ amount of time. And there’s the rub: There’s no clarity on what that is. “Unfortunately, it becomes very difficult to ascertain what reasonable is. That language has given intermediaries, social networks and people who operate marketplaces, or cyber establishments, a fair bit of flexibility on how and when they should report the details of the incident,” Pandit says.