• by Sean Hargrave , Staff Writer, October 2, 2018

It is tempting to see the latest news from Facebook as the first big test for GDPR. With fifty million accounts compromised and Facebook saying it has no idea who did it or what they have done with data taken, the ingredients are all there for salacious headlines.

Newspapers and websites around Europe have been getting out their calculators to reveal that under GDPR, the maximum fine of 4% of global revenue comes in at around GBP1.25bn. Another US tech giant getting hit by a charge of more than a billion pounds makes for captivating headlines. 

The problem is that it's very unlikely any of this will happen, and certainly not to the extent of a billion pounds or more. The reality is that Facebook has done everything by the GDPR book. The new data privacy laws were brought in to encourage companies to immediately report problems to the European authorities and to warn users as soon as possible.

According to less headline-grabbing accounts, this is exactly what Facebook did. The moment the cyber breach was noticed, the Irish data watchdog was informed and the public was warned the next day, with many having to sign in again to their accounts as an extra safeguard to ensure that they are who they say they are.

The big fines are there for companies that sit on a problem -- a little like Uber was alleged to have done after a massive cyber breach in 2016 which authorities believe it should have acted on earlier when the problem was leaked to the public a year later.

Around 10% of the 50m affected accounts are believed to be in Europe, and the Irish data watchdog has confirmed it is investigating the breach. However, does anyone really think the Irish will go out of their way to punish a major US tech firm?

Remember -- this is the company that was on Apple's side when the EU decided the tech giant owed the Irish government 13 billion Euros in back tax. A huge chunk of cash, and the Irish government insisted it didn't want any part in the process and wasn't eager to claim the overdue payment.

The chances of the Irish authorities wanting to make an example of Facebook, then, are negligible. So, without any desire to slap Facebook with a fine and the fact that Facebook appears to have played this one by the book, we're left with only one reason why Facebook may be fined. Did their tech pose a danger? Had they done something ridiculously stupid to allow hackers in?

If this proves to be a sophisticated attack, rather than the type of simple SQL injection technique that shamed TalkTalk recently, then Facebook can probably walk away with a slap on the wrist and perhaps a small fine in the tens of thousands, or perhaps, hundreds of thousands. Nothing like the billion being talked about. 

So when reading the headlines coming out of Europe, it's worth remembering that it would appear Facebook did everything the law required of it. The chances of a jaw-dropping first fine equating to 4% of global turnover are simply nonexistent. 

Yes -- GDPR did bring in the potential for massive fines, but it also very clearly laid out how companies could do the right thing to avoid them.

Facebook will turn out to be a case of how holding one's corporate hands up avoids a billion-pound fine, rather than going down in history as the first recipient of a massive GDPR fine.