Thousands expected to sue Facebook in mass action against privacy breach

Digital Rights Ireland (DRI) is calling on victims of the recent major Facebook data breach to join a legal case against the tech giant in what will be the largest-ever mass action of its kind.

EU citizens among the half a billion people affected by the recent data breach can sign up at facebookbreach.eu to sue Facebook for damages.

Personal data – including individuals’ names, Facebook IDs, and phone numbers – were compromised as part of the major breach.

Digital Rights Ireland has made a complaint to the Irish Data Protection Commission (DPC). The group is now preparing to take the case to the Irish courts on behalf of individuals affected by the breach.

Dr TJ McIntyre, Chairperson of DRI, said: “DRI is calling on EU residents to join us in taking action against Facebook for monetary damages. Forcing companies like Facebook to pay money to users whose privacy rights they’ve violated is the most effective way to really change the behaviour of these big tech companies.

“The prospect of class and mass actions is going to be a major impetus for the largest and most profitable of tech companies to become legally compliant and stop treating user data like a commodity.

“Facebook is a uniquely powerful company, reaching into the lives of its billion plus users, and they need to get this right.”

Antoin O Lachtnain, Director of DRI, added:

“The scale of this breach, and the depth of personal information compromised, is gobsmacking.

“Those impacted deserve action and Facebook’s handling of this breach has been entirely inadequate.

“This will be the first mass action of its kind but we’re sure it won’t be the last. The laws are there to protect consumers and their personal data and it’s  time these technology giants wake up to the reality that protection of personal data must be taken seriously.”

DRI is taking action on Facebook’s most recent failure to protect user data, a breach discovered on Saturday April 3rd and affecting 533 million users.

Data was scraped as the result of an address book contacts import feature.

According to DRI, Facebook not only failed to implement privacy by design and by default to protect this user data, the company also failed to notify those affected when the leak occurred, and also failed to notify the Data Protection Commission. Each of these is a duty under the GDPR.

Irish law does not provide for class actions in the way the US law does.

A “mass action” is a more general, less legally specific term.

In a mass action, large numbers of people are represented in a single complaint, with the same or very similar facts and laws applying to all of their situations.

Those impacted by the breach who sign up to take part in this legal action could be awarded monetary damages. In comparable cases in other jurisdictions damages have varied between €300 and £12,000 for breach of one person’s rights.

To check if you are impacted by the Facebook data breach, visit the DRI campaign website at facebookbreach.eu.