On 18 September 2019, the Turkish Personal Data Protection Board published a decision whereby it fined Facebook Inc TRY 1,600,000 (USD 280,000) with respect to a data breach.

Background

Facebook informed the Board on 14 October 2018 about certain cyber-attacks it had faced from 14-28 September 2018, stating that it had learned of the attacks on 25 September 2018. The company further stated in the same letter that it would provide further details regarding the said attacks in separate correspondence.

Upon receiving this notification, the Board launched an investigation against Facebook since it had failed to immediately report any unlawful access to personal data.

Board’s Investigation and Decision

According to the Board's investigation report of the Board, the data breach occurred between 14 September and 28 September 2018, due to a bug in the interaction between the “View Your Timeline as Someone Else”, “Birthday Celebrator” and “Video Installer” features.

As a result of the bug, the attackers were able to gain access to the personal data of nearly 300,000 Facebook users in Turkey, such as full name, photos gender, birth date, relationship status and education.

The Board rendered its decision on 18 September 2019, fining the company TRY 1,150,000 (USD 201,000) due to the failure to take the necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful access to personal data and TRY 450,000 (USD 79,000) for failure to duly notify the Board of the said data breach.

Conclusion

The amounts of administrative fines imposed by the Board is increasing. The administrative fine of TRY 1,600,000 applicable in this case was one of the highest given by the Board. The message is clear. As the importance of personal data protection and data privacy continues to increase, companies that collect personal data must be more careful in implementing their technical and administrative measures to avoid such penalties.