Facebook could be fined up to $US1.63 billion for a massive breach which may have violated EU privacy laws

Chip Somodevilla/Getty ImagesFacebook co-founder, Chairman and CEO Mark Zuckerberg testifies before a combined Senate Judiciary and Commerce committee hearing.

  • Facebook may be fined as much as $US1.63 billion ($2.26 billion) by an EU privacy watchdog for a recent data breach announced Friday that compromised the personal information of more than 50 million users.
  • The hack may have violated the EU’s new privacy law called the General Data Protection Regulation, which would result in a hefty fine if EU citizens were affected.
  • Under the law, companies that don’t sufficiently protect user data face maximum fines of €20 million ($23 million), or 4% of the company’s global annual revenue from the prior year, depending on which sum is larger.
  • We know of at least two high-profile victims in the data breach: Facebook CEO Mark Zuckerberg, and COO Sheryl Sandberg.

Facebook may be fined as much as $US1.63 billion ($2.26 billion) by an EU privacy watchdog for a recent data breach announced Friday that compromised the personal information of more than 50 million users.

According to the Wall Street Journal, Ireland’s Data Protection Commission, Facebook’s lead regulator in Europe, said on Saturday it demanded more information about the nature and scope of the hack, which may have violated the EU’s new privacy law called the General Data Protection Regulation.

The strict new regulation went into affect in May, and aims to safeguard user data for individuals within the European Union. Under the law, companies that don’t sufficiently protect user data face maximum fines of €20 million ($32 million), or 4% of the company’s global annual revenue from the prior year, depending on which sum is larger.

In Facebook’s case, the maximum fine would be $US1.63 billion, according to the Journal. The case would likely center on whether Facebook took appropriate steps to safeguard its user data before the breach, it added.

Companies are also required to notify regulators within 3 days of a potential breach, facing a maximum fine of 2% of their global revenue. Ireland’s Data Protection Commission said Facebook notified it of the breach within that time frame, though the report “lacked detail,” the Journal added.

But the occurrence of a security breach is not enough to warrant a fine, and the new privacy law’s fines have yet to be tested. According to the Journal, EU regulators often decline to issue a maximum fine when a company has cooperated, in part of fully, with an investigation.

On Friday, the tech firm revealed it had detected a security breach in which attackers gained access to the personal information of around 50 million Facebook users.

The hackers also gained access to personal information from third-party apps and services, like Tinder, Spotify, Airbnb and Instagram, which allow users to sign up using their Facebook login.

It remains unclear who was behind the attack, and whether specific persons were targeted.

But we know of at least two high-profile victims in the data breach: Facebook CEO Mark Zuckerberg, and COO Sheryl Sandberg. A spokesperson confirmed to Business Insider that the company’s two top execs had been affected.

NOW WATCH: Tech Insider videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.