Facebook is looking down the barrel of a $2.2 billion fine for storing millions of passwords insecurely
- Europe's default privacy regulator for
- Ireland's data protection watchdog said on Thursday it will open a 'statutory inquiry' into whether Facebook broke Europe's strict privacy laws, the GDPR.
- Facebook said in March it hadn't found any evidence of misuse.
Facebook is facing a multi-billion dollar fine for accidentally storing millions of people's passwords in plain text.
Ireland's Data Protection Commission (DPC), which is the default privacy regulator for Facebook in Europe, said on Thursday it had launched a "statutory inquiry" into the social network after it admitted to the error.
The news of a fresh investigation comes a day after Facebook announced that it would be setting aside $3 billion to cover the costs of a privacy investigation launched by the US regulators, during its first quarter 2019 earnings call.
Facebook said in March that it had stored hundreds of millions of users' passwords in an unencrypted format for years, meaning employees with access to its systems could simply look at people's passwords. Around 20,000 workers were thought to be able to access the passwords, although Facebook said it hadn't found any evidence of misuse.
The DPC published a statement on Thursday saying it would investigate Facebook to see if it had breached Europe's strict privacy laws, the GDPR.
It said: "The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR."
A company that breaches the GDPR, which was introduced last May, can be fined up to €20 million, or 4% of global annual turnover, whichever is the bigger number. In Facebook's case, that would equate to around $2.2 billion.
Facebook said it would work with the regulator on its investigation.
A spokesperson said: "We are working with the IDPC on their inquiry. There is no evidence that these internally stored passwords were abused or improperly accessed."
Correction: An earlier version of this article incorrectly stated that the DPC is investigating Facebook's harvesting of email contacts.