- A European regulator announced that it's investigating Facebook over a leak of 533 million people's data.
- Ireland's Data Protection Commission will probe whether Facebook broke EU privacy laws.
- Facebook could face a fine of up to 4% of its $86 billion global revenue if found responsible.
- See more stories on Insider's business page.
Europe's leading privacy regulator is investigating whether Facebook broke the law in its handling of a leak of over 533 million people's phone numbers and personal data.
Ireland's Data Protection Commission, the body charged with overseeing Facebook's privacy compliance in the European Union, announced it had opened an investigation into the social media giant on Wednesday. If Facebook is found to have violated the EU's data rules, it could face a monetary fine of up to 4% of its $86 billion global revenue.
In a statement, the DPC said it believes EU data rules "may have been, and/or are being, infringed in relation to Facebook Users' personal data."
The personal data of over 533 million Facebook users were dumped online for free in a hacking forum earlier this month, Insider first reported. The data included phone numbers that users didn't make public on their Facebook profiles, which were scraped by cybercriminals in violation of Facebook's terms of service.
A Facebook spokesperson said in a statement to Insider that the company is "cooperating fully" with the investigation, adding that the DPC is probing a now-patched vulnerability in a Facebook tool that made it possible to gather information about a Facebook user by entering their phone number.
"We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place," the spokesperson said.
When news of the leak first broke, Facebook said the data was scraped due to a vulnerability that the company patched in 2019, and downplayed the issue as "previously reported" - but the company never publicly addressed the vulnerability in detail until the data dump this month.
Facebook also said it does not plan to notify the hundreds of millions affected by the data breach because it's not confident that it has full knowledge of which users are affected, and because users can't take steps to fix the issue given that the data has already been published online.
The DPC investigation comes on the heels of pressure from the European Commission. Justice commissioner Didier Reynders said on Monday that he had met with the DPC head Helen Dixon regarding the Facebook leak.
-Didier Reynders (@dreynders) April 12, 2021
The EU investigation will probe whether Facebook had a legal obligation to notify users and European regulators when it found and fixed the vulnerability. The EU's data privacy rules, known as GDPR, require such disclosures - but the GDPR only applies to data processed after 2018, and it's not yet clear if the leaked Facebook data was scraped before the GDPR went into effect.
The DPC said that it has already started questioning Facebook about the data leak and that Facebook has "furnished a number of responses."