Facebook can't use the breach itself to contact users, no. The data could have been tampered with, and besides, Facebook doesn't have permission to process the leaked data in that way.
A company that employs dozes of data scientists and has petabytes of data is now supposedly unable to compare and match two datasets? Come on, this is beyond ridiculous.
Clearly they technically can. It's that the GDPR doesn't allow it.
Think about it... If you asked a company to delete your data, are you giving them permission to go refind that data on the dark web, cross reference it with records they should have deleted, and use it to send you email? Clearly not.
Source? Nothing prevents Facebook from making a public announcement that anyone that had an account on Facebook between dates X and Y might have been affected.
The post I was replying to was claiming the GDPR prevented it. If that is incorrect, then so be it. I'm American, so it largely doesn't directly affect me.
If they find a match against the leaked data, that would validate it and prove it had not been tampered with and at least allow them to contact a subset of users. Why can't they do that at least?
They can do that. They probably won't because they'll argue it's all part of peoples public profiles and therefore published information rather than private information.
