Aren't they required to disclose this, at least to California residents, under California's data breach disclosure laws? Or was it not the type of PII covered under the law?
"Facebook, which has long been under scrutiny over how it handles user privacy, in 2019 reached a landmark settlement with the U.S. Federal Trade Commission over its investigation into allegations the company misused user data. [...]
The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."
In EU law too. Booking.com just got convicted half a million just for notifying TOO LATE (two weeks after the fact).
I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.
Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me
Yeah, but the b.com leak involved credit card data which changes everything in the eyes of regulators. Sadly this is not true for "mundane" data like phone numbers, email addresses, or even physical addresses.
They are absolutely required to report this to the data protection agencies in all European countries. As the other comment mentioned, missing the 72 hour deadline on this is enough to get a fine as Booking.com did.
I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.
GDPR is a gift to large corporations. Regulatory capture in return for a slap on the wrist. It also burdens startup competition and trains people to click "Allow Cookies" and "Accept the Terms of Service" as fast as possible.
GDPR is extremely similar to pre-existing privacy laws in some EU countries. It also applies to startups and large corporations equally, and in practice is more likely to be lenient towards startups making genuine mistakes while trying to obey the rules versus large corporations intentionally ignoring them.
The "Allow Cookies" and "Accept Terms of Service" click-throughs also barely meet any of the GDPR requirements and in the case of the latter don't necessarily constitute informed consent: EU courts have repeatedly ruled that a wall of text can not be used in software to hide "surprising" rules (e.g. that your WhatsApp account will be banned if you use a third-party client).
it really wasn't - unlike other similar laws it is written in terms of world wide revenue (not profit), not a fixed fine, so it's not as easy to simply treat violations as being "free".
The actual work involved is trivial if you minimize data collection, which is the whole point - you shouldn't collect anything you don't actually need and GDPR got rid of the "abusing user privacy is purely profitable" excuse.
Regulatory capture is an anti-piracy bill that requires scanning all uploads using technology that only a few companies have or that costs more than potential income of a business. That's why YouTube was generally pro-that bullshit EU "anti piracy" law.
Not happening because at best FTC can fine them. That is just cost of business to them these days. Its part of their move fast and break things philosophy.
The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."
Seems like it.