Following the news that a security researcher discovered millions of unsecured Facebook user information on an Amazon server that had been stored by a 3rd party Application called Cultura Colectiva, this news story raises questions as to how 3rd party developers and Applications providers are vetted by Facebook, as well as what obligations Facebook instil upon 3rd parties when it comes to the confidentiality of its members’ information.

Cultura Colectiva describe themselves as “a digital platform that inspires audiences through content created with data and technology…. The largest digital platform in Mexico and Latin America with significant reach in Argentina, Chile, Columbia, and Spain” – which of course is in the EU, meaning that Cultura Colectiva are subject to the EU GDPR not only due to their reach extending into an EU territory, but it is also highly likely that EU data subjects access and interact with their app and their website from a number of destinations around the world. Cultura Colectiva then sent that data for storage into a remotely managed services provider (aka the Cloud) and failed to protect that data by leaving it unsecured.

Under the EU GDPR, an entity has 72 hours to report a data breach to a supervisory authority. If that data is likely to harm or affect the rights & freedoms of data subjects then that entity is legally required to inform that data subject without delay, yet it took several months for any action to be taken once the breach was discovered by a security researcher (the breach was initially flagged on the 1st February and it took 3 weeks for someone from Amazon to respond saying that they were “looking into the situation” and the data was finally removed on April 3rd– by Facebook, not by Cultura Colectiva – source:

It is worth remembering that when data is sent into the cloud, you are at the mercy of that 3rd party’s security controls and systems.

If that data has been sent into the cloud by a 3rd party (Cultura Colectiva are a 3rd party who stored the data on a server provided by a 3rd party- Amazon) who hasn’t taken appropriate security measures to ensure that the data is protected or secured, that is highly likely to lead to complete loss of control of that data, which could lead to catastrophic circumstances if the data is of a personal nature. What’s more is that the initial collector of that data is – as data controller – ultimately responsible for allowing that data to be accessed by a 3rd party. Therefore it is vital that contracts and agreements reflect the responsibilities where there are “joint-controllers” (Article 26 of the EU GDPR).

It is also vital that data subjects are aware of how their data will be processed and what protections are in place with partners of that 3rdparty, so that individuals can provide explicit, freely given, affirmative authorisation for their data to be used in the exact way as described by the controller.

Therefore an update of privacy notice(s) and internal policies that take into account in local laws and regulations of members/customers/users of that company needs to be actioned. For example, if your company HQ is in Mexico, and you are collecting EU data subject data and are processing it by storing it remotely in the US then you are bound not only by Mexican Data Protection Laws but also the Data Protection Laws of the US and the EU, as well as the local laws of the users’ nationality.

Share this post on: