Turkey’s Personal Data Protection Board (“Board”) fined Facebook due to failure to take the necessary technical and administrative measures to prevent possible data breaches and to notify the Board of such breach.

Facebook representatives informed the Board on 25 September 2018 via e-mail that a data breach was caused by the complex interaction of multiple bugs related to different Facebook features. However, the breach in question was not duly notified by Facebook to the Board as envisaged under the Turkish Personal Data Protection Law (“Law”). In this respect, the Board started an ex-officio investigation on Facebook in accordance with article 15/1 of the Law. As a result of the investigation, the Board fined Facebook a total of TRY 1,600,000 due to the facts that Facebook did not take the necessary technical and administrative measures to prevent possible data breaches and failed to notify the Board of the breach which was detected on 25 September 2018.

As a result of the ex-officio investigation, the Board has determined that:

  • Between 14 September 2018 and 28 September 2018, attackers were able to access users’ personal data through the access tokens, which were generated by the interaction of multiple bugs in three different features of Facebook called “View As”, “Video Upload tool” and “Happy Birthday Videos”. 280,959 users that use Facebook in the Turkish language were affected by the breach.
  • Taking into account that the bugs in question should have been detected and fixed during the testing phase before their launch, Facebook failed to take the necessary administrative and technical measures in this respect.
  • Besides, given that the vulnerability continued for 14 months between 21 July 2017 and 27 September 2018 and no counter-action regarding the bug was taken in due time, the Board decided that Facebook failed to take necessary administrative and technical measures thereto.
  • The personal data of 280,959 affected users that use Facebook in the Turkish language including their profile information, location data, religion data, search histories and followed accounts were accessed by attackers.
  • In addition, it is determined by the Board that Facebook violated article 3 of the Board’s Decision entitled “Adequate Measures to be Taken by the Data Controllers in the Processing of Special Categories of Personal Data” dated 31 January 2018 and numbered 2018/10 due to the unauthorized access by the attackers to some affected users’ special categories of personal data such as the data regarding their religious beliefs.
  • Furthermore, the Board stipulated that through the personal data accessed by the attackers, profiling activities may be conducted against the data subjects and such activities could have a negative effect on them.

In this regard, the Board decided to impose on Facebook the following administrative fines pursuant to article 18/1/b of the Law:

  • Administrative fine in the amount of TRY 1,150,000 for failing to take the necessary technical and administrative measures as stipulated under article 12/1 of the Law, and
  • Administrative fine in the amount of TRY 450,000 for failing to notify the breach detected on 25 September 2018 in a reasonable time as stipulated under article 12/5 of the Law.

Please see this link for the summarized decision published on the Board’s official website on 3 October 2019 (only available in Turkish).

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.