15 Feb 2021

Facebook sued for user data breach

The lawsuit claims the social media giant failed to protect the personal information of one million people

By Neil Fanning

Shutterstock

A data protection claim has been filed against Facebook by litigation specialist Hausfeld, instructed by journalist and writer Peter Jukes, for alleged loss of control over his personal data and the personal data of around one million other affected Facebook users in England and Wales.

Jukes’ claim relates to the period between November 2013 and May 2015, during which Facebook allowed a third-party app named ‘This is Your Digital Life’ to access not only the personal information of users who downloaded the app, but also that of their Facebook friends, without their knowledge or consent.

The claim is part of a class action on behalf of approximately one million users of the social media website, claiming it was in breach of its statutory duties under the Data Protection Act.

The alleged harvesting of users’ personal information was revealed as part of the Cambridge Analytica privacy scandal (where harvested data was used for political advertising) and the representative action will seek damages for all users affected.

The claim is being brought against Facebook Inc. and Facebook Ireland Limited under Rule 19.6 of the Civil Procedure Rules, by which a representative claimant can bring a claim on behalf of a class of people with the same interest.

Peter Jukes commented: “Facebook broke the law when it failed to protect my data from third parties. The ICO [Information Commissioner’s Office] made clear that this was an extremely serious breach, for which it levied against Facebook the maximum fine possible at the time. Affected consumers like me must be able to hold big companies like Facebook to account for playing fast and loose with our personal information.

“Facebook profits from its billions of users, who reasonably rely on the platform to protect the personal information they entrust to it. Facebook exploited that trust by making users’ private data available to a third-party app, without their consent or even knowledge. This opened our personal data up to abuse. It is only right that we, as consumers, hold Facebook to account for failing to comply with the law and for putting our personal data at risk, and to ensure that this is not allowed to happen again.

“I am stepping up on behalf of those whose trust Facebook wilfully exploited. It is the right thing to do to demand fair compensation for those million or so users, and to raise awareness among those who might not even know that Facebook failed to protect their personal data, or that they had a case against it.”

Hausfeld partner Michael Bywell said: “Facebook breached its legal obligations to protect the data of its users. The law is clear that Facebook had a duty to safeguard users’ personal information – a duty that it neglected. With an experienced team, committed class representative and funding and ATE insurance in place, we believe this claim offers the best avenue of redress for consumers who suffered at the hands of Facebook’s failure to abide by data protection laws.”

The affected users on whose behalf the claim is brought will not pay any costs or fees to participate in the legal action and have no financial risk in relation to the claim, which is funded by Balance Legal Capital and has After the Event insurance in place.

Facebook paid a £500,000 fine for serious breaches of data protection law in October 2019 following an investigation by the ICO into the use of personal data in political campaigns. The fine was the maximum allowable under the laws that applied at the time of the incidents.

The ICO’s investigation found that between 2007 and 2014, Facebook processed users’ personal information unfairly by allowing app developers to access it without sufficiently clear and informed consent. It allowed access even if users had not downloaded the app, but were simply ‘friends’ with people who had.

Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform.

Information Commissioner Elizabeth Denham said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better. We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

For more details of the claims, see facebookdatabreachclaim


This content is available to subscribers only. To continue reading...

Sign in to your account

Take a one-month free trial

If you aren't a subscriber, please sign up for a one-month free trial to access all Robotics Law Journal content, including:

  • All premium online content
  • Daily newsletters
  • Breaking news alerts


If you require further information, please email [email protected] or contact call us on +44 (0) 20 7193 5801.