Legal updates and opinions
News / News
“So the wolf showed his teeth” – not again Facebook!
by Ahmore Burger-Smidt, Head of Data Privacy Practice
“Little pigs! Little pigs! Let me in! Let me in!”
“No! No! No! Not by the hairs on our chinny chin chin!”
“Then I’ll huff and I’ll puff and I’ll blow your house down.”
In The Three Little Pigs, the conflict centres around the fact that the big bad wolf wants to get inside the pigs’ homes to eat them. Facebook faces a “wolf” that is doing his best to get it to allow him access to its users’ information and this persistence, may very well blow the Facebook house down.
Facebook, already facing scrutiny over how it handled personal information of its users, just during the Cambridge Analytica saga earlier this year, disclosed that a further attack on its computer network had exposed the personal information of millions of users.
This breach is reportedly the largest in the company’s 14 year history.
The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them. The attackers allegedly exploited two bugs in the site’s “View As” feature, which allows users to check what information other people can see about them. Ironically, this feature was built to give users more control over their privacy. The hackers allegedly also attempted to harvest users’ personal information, such as their names, sex and hometown from Facebook’s systems.
Facebook’s European subsidiary is headquartered in Ireland and the Irish Data Protection Commission is the data watchdog that regulates Facebook. The Facebook data breach will be the first major test of Europe’s tough data protection laws, the General Data Protection Regulation (“GDPR“).[1] The GDPR regulates how companies handle the data of European citizens and governs how that information is stored and used.
The GDPR to a large extent, deals with data breaches as well as the penalties for companies who fail to notify regulators about a data breach within 72 hours of it occurring. Firms can also be fined if it is found that they do not have adequate measures in place to prevent a data breach or have acted contrary to any of the principles of processing information as set out in GDPR.
If it is found that Facebook breached the GDPR, the maximum fine that Facebook could potentially face is 4% of its annual global turnover. It is estimated that the social network’s 2017 revenue is over $40.65 billion and the potential fine could amount to approximately $1.63 billion.
The primary moral lesson that Facebook can learn from “The Three Little Pigs” is that hard work and dedication pay off. While the first two pigs built their houses quickly and spent their free time playing, the third pig laboured in the construction of his house of bricks – data security in terms of POPIA[2] and a data breach plan cannot be ignored!
Facebook has been reshuffling its security teams since its chief security officer left its employ in August. Instead of acting as a stand-alone group, security team members have been working closely with product teams across the company. This move, the company said, is an effort to embed security across every step of Facebook’s product development.
Still, the recently discovered breach is a reminder that it is exceptionally difficult to entirely secure a system that connects with thousands of third-party services and has more than 2.2 billion users globally.
The Three little pigs lived happily ever after.
[1] General Data Protection Regulations (EU) 2016/679.
[2] Act 4 of 2013.
Latest News
Misuse of the business rescue process – failure before it begins
by Dr. Eric Levenstein, Director and Head of Insolvency & Business Rescue and Amy Mackechnie, Senior Associate Business rescue was introduced [...]
Constitutional Court clarifies rights of innocent contractors under invalid state contracts
by Sarah Moerane, Director and Kuhle Joja, Associate In Minister of Defence and Military Veterans v Zeal Health Innovations (Pty) [...]
Untangling the mischief of section 43 of the Electronic Communications Act: A missed opportunity in the Amendment Bill
by Corlett Manaka, Director and Head of Disputes, Akhona Bilatyi, Director and Koketso Rapoo, Senior Associate On 12 March 2026, [...]
A charge by any other name would smell as sweet
by Bradley Workman-Davies, Director The Labour Appeal Court's judgment in Machi v Chep SA (Pty) Ltd and Others serves as [...]
When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises
by Armand Swart, Director, Hlonelwa Lutuli, Associate and Isabella Keeves, Candidate Attorney On 22 May 2026, South Africa’s Information Regulator [...]
Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal
by Armand Swart, Director In the judgment of Els v Venter and Another (449/2024) [2025] ZASCA 163 (27 October 2025), [...]
