The Irish Data Protection Commissioner (DPC) has opened a formal investigation into the data breach at Facebook that affected nearly 50 million accounts.
On Tuesday, the data protection watchdog said it was looking into whether to open an official probe and on Wednesday decided to do so.
“The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes,” the Irish DPC said in a statement on Wednesday.
Facebook said last week that it found a bug in a part of its service that allowed hackers to access information of nearly 50 million people. Less than 10 percent of those accounts were in the European Union (EU), according to the Irish DPC.
The U.S. tech giant’s European subsidiary is based in Ireland and the social network chose the country’s DPC as its “one-stop shop” as the regulator for data privacy matters in the EU. Therefore the Irish DPC will eventually decide the punishment, if any, that Facebook will face under the EU’s strict General Data Protection Regulation (GDPR) which was introduced in May.
Under the regulation, companies that suffer a data breach must report it to the authorities within 72 hours of it being discovered, something Facebook appears to have done. But another, more worrying part of the law for Facebook, is the financial punishment that could follow.
Firms can be hit with fines if they are found to have not done enough to prevent a data breach or went against any of the principles around the processing of information laid out in GDPR legislation. The maximum fine Facebook could face is 4 percent of annual global turnover, if it is found to have breached GDPR. Since the social network made over $40.65 billion last year in revenue, that total fine could amount to around $1.63 billion.
This is what the Irish DPC’s investigation will seek to establish. The Facebook data breach is the first real test for GDPR and is believed to be the biggest hack in Facebook’s history.
A Facebook spokesperson was not immediately available for comment but the Irish DPC said the company had said that its “internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to users.”
The breach comes at a bad time for the social networking giant which has had a torrid year dealing with the fallout over various issues including the Cambridge Analytica data scandal and scrutiny over its role in elections.