In short: The Irish Data Protection Commission (DPC) officially opened an investigation into a data breach Facebook reported last week, estimating a bug discovered in its platform was used to compromise some 50 million users around the world. The top data regulator of the European Union will be probing the company’s compliance with the General Data Protection Regulation, ensuring it fulfills its obligations to users mandated by the recently enacted law. The probe will also be focused on whether Facebook is taking the necessary steps to mitigate the risk of similar breaches happening in the future. The Menlo Park, California-based social media giant is still leading its own investigation into the matter, according to the DPC.
Background: Less than ten-percent of the users compromised as part of the breach were EU nationals, the DPC said earlier this week. Regardless, the maximum fine that the regulator could issue to Facebook under GDPR amounts to well over $1.6 billion, i.e. up to four percentage points of its annual turnover. The breach was enabled by a bug in the “View As” feature of Facebook which allowed hackers to access tens of millions of accounts via the platform’s Access Tokens. Facebook disabled the functionality while it investigates, though it’s confident that the original bug has already been fixed.
Impact: With Facebook already being targeted by day-one complaints following the enactment of GDPR, the pressure on the company exerted by EU privacy watchdogs is increasing. Between the Cambridge Analytica scandal from earlier this year and a number of other issues associated with the manner in which the company handled its user data, the European Parliament already expressed its displeasure with the social media juggernaut and even said it’s pondering breaking Facebook apart during a late May hearing with co-founder and CEO Mark Zuckerberg. Whether those threats end up amounting to anything remains to be seen but the latest incident certainly isn’t helping Facebook’s case.