Facebook privacy breaches prompt close scrutiny from Philippine regulator
2 October 2018. By Jet Damazo-Santos.
The Philippines’ relatively new privacy regulator is taking a hard line on Facebook, with the social media giant’s major privacy incidents prompting close scrutiny of how it processes data and responds to breaches.
While the inquiry by the Philippines’ National Privacy Commission, or NPC, into the Cambridge Analytica case is still underway, Facebook’s initial response to the recent “View As” breach affecting some 50 million users has already been found wanting.
Over the weekend, the NPC said it told Facebook that “the notification it sent to individuals leaves much to be desired.”
Philippine privacy laws require that individual-breach notifications be sent out, according to Francis Euston R. Acero, the head of the complaints and investigations division at the NPC.
“They have to be individual, they have to explain what happened, how much of your data was affected and what they’ve done to address that exposure,” he told MLex, adding that individual notification means some kind of customization was involved.
“What Facebook sent so far is not compliant with those regulations.”
Acero said Facebook maintains it doesn't have enough information yet to enable it to report to individual data subjects.
“People are getting anxious over what kind of exposure happened, and it would help them if they would individually notify each individual affected,” Acero added.
For now, he said the NPC will take a “trust and verify” approach, with Facebook committing to give the regulator access to its records to allow it to verify its actions.
The NPC’s inquiry into this latest incident will run separately from the ongoing one into the Cambridge Analytica case.
Acero said he expects movement on that front this month, as the commission has laid out its expectations of Facebook in the matter.
“But we’re asking for some pretty comprehensive data and I don’t expect it will be resolved any time soon,” he said.
That comprehensive information refers to how Facebook processes data, which Acero said is not yet clear to the regulator.
“We wanted to understand that how they process data is actually compliant with Philippine law,” he said.
The way Facebook has responded to the NPC in the past, he added, has shown a lack of understanding of the nuances of Philippine data-privacy law.
“But they’ve committed that they’re going to change that,” Acero said.