To paraphrase: Cambridge Analytica were only doing their job. And, strictly speaking, Facebook did not suffer from a data breach. Who to blame then? The FB login tool. When users log-in apps using FB account (rather than new credentials), the apps access their profile data and, until 2015, those of their friends. This is how a “standard” app called “thisisyourdigitallife” used FB login to create accounts with users opting to share personal profile data. Some doubt this is technically a “data breach” citing the lack of the intrusion-element; the leak being the result of “contacts harvesting” rather than of an external active hack by a malicious actor. Well, does it matter anyway? As Ido Kilovaty argues: “There should be no material difference if the personal information was obtained through a breach or through manipulating and exploiting FB’s data ecosystem. The result is the same – user personal information in unauthorized hands”. The GDPR notion of data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed” seems inconclusive and hardly calms the nerves. Our Carlo Marmo will be sharing his tech and regulatory recommendations shortly.