On Friday, Facebook announced that a security breach compromised about 50 million login credentials but said the issue had been resolved. But Europe has the world's toughest privacy rules and the European Union could impose fines that – by some estimates – could be in excess of $1 billion.
Ireland's Data Protection Commission (DPC) complained that Facebook's initial disclosure of the breach was light on details. The DPC said Facebook appears unable to tell users the extent of the risk they face.
The DPC said it wants answers from Facebook and those replies will determine whether there will be fines and how much they are. Later, the commission tweeted that Facebook had begun to fill in some blanks.
“Facebook issued a blog on Friday last indicating that 50 million accounts were potentially affected by a security issue,” the agency wrote. “We understand that the number of EU accounts potentially affected is less than 10 percent of that. Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”
General Data Protection Regulation
The EU's General Data Protection Regulation took effect in May and imposes heavy penalties on companies found to be in violation of it. Offenders can be required to pay $23 million or 4 percent of the previous year's international revenue. Under that formula, Facebook could face a fine in excess of $1 billion.
This isn't the first time Facebook has had to deal with a privacy issue. It faced a harsh backlash in March, when it revealed that personal information on millions of users had fallen into the hands of a political marketing firm.
In that case, there was no breach of its system. A third-party app developer had been granted access to the data but was not allowed to give it to anyone else. Facebook said the developer then sold the data to Cambridge Analytica, a political marketing firm.
At its developer conference in May, Facebook reaffirmed its commitment to protecting user data. CEO Mark Zuckerberg said the company would take a “broader view” of its responsibility to protect users' privacy.