Italian Data Protection Authority seeks clarifications on Facebook bug

On 2 July 2013, the Italian Data Protection Authority (the “Authority”) issued a press release informing that it required Facebook (“FB”) to provide clarifications in relation to a bug which was recently brought to light by the mass media, as well as by FB’s admissions and by complaints submitted before the Authority. This bug apparently affected more or less 6 million data relating to the contacts stored in the FB users’ address books, which “would have been subject of unwanted communication to third users, not necessarily in “friendship” connection with the people concerned and probably not even known by them”. Basically, according to the press release, the bug would have shown to a specific user other people’s personal information contained in the address books of “friend” users.

In light of this, the Authority urged FB to clarify the way it processes its users’ personal data. In particular, FB was required to provide an estimate of the number of Italian users involved in the event, and an indication as to its duration and the remedies adopted in order to fix the problem and prevent it from arising again. Moreover, the Authority requested FB to explain: i) if its users were aware that the contacts in their address book (or their data if stored in other users’ address books) could be collected and processed by FB; ii) if the bug and the relevant data processing also involved unregistered users and, if this is the case, if the latter were aware of the possibility that their data could be collected and processed by FB once stored in the address book of a FB user. Finally, the Authority wants to understand whether FB respected its users’ right to oppose the processing of their data.

This is not FB’s first problem with data processing. Recently, the well-known antivirus developer Symantec declared on its blog that it discovered another bug in the FB application for Android: because of this bug, the first time you launch the FB App on your device, the phone number would be automatically sent to the FB servers, without requiring any authorization by the users. This would happen even before logging in and irrespective of whether you create a FB account or initiate actions, being it sufficient the launch of the application. In specifying that the FB App is not the only application leaking data, Symantec also reported the answer of the social network to this issue: “FB states that they will provide a fix in the next FB for Android release and also guarantees not to use or process the collected data – which have been already deleted from their servers“.