Facebook has notified 6.8 million users that, due to a bug, the company allowed its third-party developers to access all the users' photos, including those marked as private.
Facebook says that the bug was active for two weeks in September, but it is only notifying users of this now (you can check if your photos were exposed here).
The GDPR requires Facebook to notify users of breaches within 72 hours. Facebook waited three months. They say this doesn't violate the GDPR.
Europe's General Data Protection Regulation, which went into effect earlier this year, gives companies 72 hours to notify the authorities of a breach. It's been well over 72 days since Facebook first spotted the Photos API issue.
That doesn't necessarily mean the company skirted the rules, though. Facebook argues that it needed that time to investigate whether the incident qualified as a breach under GDPR in the first place, and that it told the appropriate authorities within 72 hours of making that determination. Similarly, Facebook says it took so long to notify affected users because it needed time to identify and contact developers, and to build a "meaningful way" to notify users that they'd failed to protect their data. Given the number of times Facebook has had to do so this year, you'd think they'd have it down by now.
Facebook Exposed 6.8 Million Users' Photos to Cap Off a Terrible 2018 [Brian Barrett/Wired]