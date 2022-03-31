Breach of data having caused the access to more photos than Facebook users are allowed, is announced by the Engineering Director of Facebook Tomer Bay on 14/12/2018 under the title of "Announcement about a photo API bugin our developer ecosystem". According to this announcement, more photos were accessed than the capacity allowed by Facebook users.

It is estimated that the data breach may have affected 6.8 million users with 300 thousand users in Turkey and 1,500 applications created by 876 developers.

In its decision dated 11.04.2019 numbered 2019/104, the Authority reached the following conclusions on the issues stated in Facebook's announcement:

This data breach, reported by Facebook as originating from a faulty software, permitted third party applications to access user's Marketplace photos, Facebook stories and even photos uploaded to Facebook as a draft, whereas only access to timeline photos were allowed to.

Due to this violation, third-party applications accessed users' photos beyond their authorization for 12 days, between the dates of September 13 - September 25, 2018. The fact that Facebook did not take timely action to fix the faulty software constitutes a deficiency in taking technical and administrative measures.

This situation indicates that Facebook had difficulties in controlling its data flow considering the violation of the obligations regarding data security.

Facebook, requested permission from users to obtain more information regarding their friends or even accessing information other than what the users' would agree to give. This situation prevents explicit consent being considered as freely given.

It is considered that by the way the announcement of this data breach is made Facebook itself acknowledges it as data breach.

Based on the above conclusions the Authority has decided to impose to Facebook as the data controller:

- an administrative fine of TL 1.100.000 for having failed to take the necessary technical and administrative measures to ensure data security pursuant to paragraph (1) of Article 12 of the Personal Data Protection Law (Law) No. 6698.

- an administrative fine of TL 550.000 for having failed to timely notify the Authority the unlawful access of users' accounts pursuant to paragraph (5) of Article 12 of (Law) No. 6698.

There is also another decision given by the Authority regarding Facebook for a data breach occurred between the dates of September 14- September 28, 2018. The Facebook representative informed the Authority via e-mail that the data breach was caused from the complex interaction of multiple bugs in three different Facebook features "View As", "Video Upload Tool" and "Birthday Celebration".

The Authority stating that 280.959 Facebook users using Facebook in Turkish language may have been affected by the breach, reached the following conclusions in its decision dated 18.09.2019 numbered 2019/269 regarding the data breach:

Third parties were able to access Facebook users' sensitive personal data besides personal data such as "name, phone number, e-mail, gender, user name, religion, location and devices" through access tokens.

The data breach has continued for 14 months since necessary measures were not taken by Facebook.

Considering the large amount of the accessed personal data belonging to users affected by the violation, the possiblity of profiling could by third parties without the users consent has emerged.

Based on the above conclusions the Authority has decided to impose to Facebook as the data controller:

- an administrative fine of TL 1.150.000 for having failed to take the necessary technical and administrative measures to ensure data security pursuant to paragraph (1) of Article 12 of the Personal Data Protection Law (Law) No. 6698.

an administrative fine of TL 450.000 for having failed to timely notify the Authority the unlawful access of users' accounts pursuant to paragraph (5) of Article 12 of (Law) No. 6698.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.