It's time to reset the 'Days without a Facebook data loss' sign after 500 million records left exposed on AWS

I think it is, provided they state in the associated Terms that they are going to do that and the tickbox should be disabled by default. The problem is that FB doesn't allow access unless you tick that box, which one could debate as being illegal to start with.

I have a bigger question, though: why on Earth does someone need that big a dataset? And what due diligence does FB do on third parties handling that amount of data to assure themselves they're only as leaky as Facebook (not a high bar IMHO, but they didn't clear that one either)?

FB is, of course, going to blame the third party, but they carry serious culpability in allowing a company access without checking things first. Certainly at those sorts of volumes I'd consider that mandatory.

Zuck can talk all he wants, but I think he'll be on the hook for this one.

Not that he cares, of course.

Not necessarily

They only need a consent for sharing if they have declared that consent is the lawful basis they rely on for that sharing. It's perfectly possible to rely on, for example, legitimate interest. But if they do they must carry out a formal documented assessment of the balance of rights and risks between themselves and the data subject, and they should publicly declare every instance of sharing. It's not sufficient to just state, for example, "we may share with app developers". They must also in principle have validated the security and privacy management of every sharing partner.

Is there any documentary evidence that nay of this has been done? if not they could be in breach of the regulation.

Under GDPR I do not think they would be permitted to share the data, for development purposes, at all. I certainly can not see a need for 500m records to be a part of the development process.

Re: 540 million

Lots of people have multiple accounts and you also have to add in business accounts too. That's just legitimate users. The count really blooms when you factor in the click and upvote bot accounts and the auto-review accounts that exist to allow entities to purchase positive reviews and likes for their Amazon stores. I'm sure there are also mechanics for down-voting and negatively reviewing competitors.

And "where". I imagine they'll just shift operations to somewhere that suits them better.

That won't help, GDPR doesn't care about location, just about data over/from EU and EEA citizens and residents and its protection. And the equivalent Californian legislation isn't concerned about location of the data either.

He is right to be terrified of GDPR as Facebook is in serious breach. And GDPR has global reach, as long as data about even one single EU or EEA citizen or resident is involved.

Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

The wording on the request for e-mail details suggests to me that the intent was then to use the e-mail account to send facebook a verification email.

I don't see why they would need to do that. The normal way of sending you a mail with a token and asking you to follow a link to verify fits the role well.

If they really needs you to send them an email from your mailbox, they could send one to you and ask you to reply to them.

Asking your password means only one thing: they have evil intents. In fact, no one with honest intents will ever ask you for your password. Ever. No where. Never. It could be your ISP hotline, it could be... Never. Ever.

Well, that is except US border cops, but's that's another topic.