- The Irish Data Protection Commission said it believes Facebook may have breached one or more laws.
- It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.
- Facebook said it is "fully cooperating" with the Irish privacy watchdog in its inquiry into the data leak.
LONDON — Ireland's data protection watchdog said Wednesday that it has opened an inquiry into Facebook over a potential breach of European privacy rules.
The Data Protection Commission (DPC) said its probe focuses on reports that a dataset of 533 million Facebook users worldwide was exposed on an online hacker forum. Regulators believe the leak may be in breach of the EU's General Data Protection Regulation.
After speaking to representatives from Facebook Ireland, Ireland's DPC said it believes Facebook may have breached one or more laws, adding that the company may still be breaching certain provisions.
Facebook said it's "cooperating fully" with the regulator, adding that the leak in question "relates to features that make it easier for people to find and connect with friends on our services."
"These features are common to many apps and we look forward to explaining them and the protections we have put in place," a Facebook spokesperson told CNBC via email.
The social media giant has attempted to downplay the data breach, saying it was related to an "old" vulnerability that was fixed by 2019. It explained in a blog post last week that the data was scraped by hackers using its contact importer tool sometime before September 2019.
The DPC appears to be the first regulator to launch a formal investigation into Facebook over this issue. Since Facebook's European headquarters are located in Dublin, Ireland is the main enforcer of data regulations for the company.
It's unclear how long the investigation will last. Under GDPR, which was introduced in 2018, firms can be fined either 20 million euros ($24 million) or up to 4% of their annual revenues, whichever is the greater amount.
Ireland's data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In December 2020, the DPC issued its first GDPR financial penalty against a major U.S. tech company, fining Twitter 450,000 euros ($538,897).