(Bloomberg) -- Facebook Inc. has become the first big test case for the European Union’s beefed up privacy rules as Ireland’s data watchdog opened a probe into a security breach announced last week that affected as many as 50 million accounts.
Ireland’s data protection authority on Wednesday said it has started investigating whether Facebook had “appropriate technical and organizational measures” in place to protect its users’ personal data. While not the first European probe into Facebook, it’s the first under the EU’s new data rules, which could lead to fines of as much as 4 percent of a company’s annual sales.
Facebook informed the Irish authority “that their internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to users,” the regulator said in a tweet, as it announced its probe. Facebook said in a statement that it’s in close contact with the regulator and “will continue to cooperate with their investigation.”
The breach adds more pressure to the U.S. social media giant, which is still reeling from the separate scandal this year stemming from the revelation that data belonging to as many as 87 million Facebook users and their friends may have been misused by a political consultancy that helped get President Donald Trump elected. That breach was called a game changer in the world of privacy as it happened shortly before the EU’s new law, called General Data Protection Regulation, took effect across the 28-nation bloc on May 25.
EU Justice Commissioner Vera Jourova, who pushed through GDPR, tweeted on Wednesday that she had spoken to the Irish privacy commissioner, Helen Dixon, to welcome the probe and give “my full support in getting to the bottom of this story.”
Jourova told reporters in Luxembourg this week that the latest Facebook breach is the “first big test case” for GDPR. Under the rules, the Irish regulator is taking the lead in the EU because Facebook has its European base in the country.
The EU’s top privacy official, Andrea Jelinek, who chairs the group of privacy commissioners from across the bloc, said in a tweet on Thursday that “all board members stand ready to engage in mutual assistance if needed.”
Facebook disclosed the breach a week ago, saying it had by now solved the vulnerability. It appeared that a hacker -- or hackers -- exploited several software bugs at once to obtain login access to as many as 50 million accounts. That access let the intruder act like users on their profiles, or on any applications where they signed in using Facebook.
Regulators under the old regime lacked the teeth they needed to levy fines that could really bite. The U.K. watchdog, which has been probing the Cambridge Analytica scandal, said in July Facebook could face a fine of as much as 500,000 pounds ($649,000) over its failures to prevent a breach. That’s the maximum penalty the regulator could levy before, and this still applies for any violations that happened before GDPR took effect on May 25.
The U.S. Federal Trade Commission’s chairman has signaled that his staff is also looking into the recent breach.
(Updates with comment from EU privacy chief in seventh paragraph.)
--With assistance from Sarah Frier.
©2018 Bloomberg L.P.