Facebook breach hit 3 million in EU, putting new privacy law to test

The social network could face a fine of more than a billion dollars if it failed to notify European users within 72 hours.

Marrian Zhou Staff Reporter
Marrian Zhou is a Beijing-born Californian living in New York City. She joined CNET as a staff reporter upon graduation from Columbia Journalism School. When Marrian is not reporting, she is probably binge watching, playing saxophone or eating hot pot.
Marrian Zhou
2 min read

Facebook CEO Mark Zuckerberg

John Thys / AFP/Getty Images

Facebook may have a run-in with Europe's new  privacy law.

The Irish Data Protection Commission said Tuesday that roughly 3 million Facebook users living in Europe were affected by a data breach at the social network in September, according to CNBC

Last week, the social network said hackers stole user information from 29 million people, rather than the 50 million it originally indicated in September. The hackers pilfered the information from user accounts after stealing Facebook's digital keys. The stolen information included names, birth dates, hometowns, workplaces and contact details, such as emails and phone numbers.

Facebook confirmed that it has been working with the IDPC over the past two weeks.

The data breach marks the first major test of Europe's new General Data Protection Regulation, according to CNBC. In May, the privacy law went into effect across the European Union's 28 member states. It affects companies with a digital presence in the EU, such as Facebook, and requires more openness about what data companies have and who they share it with.

Facebook CEO Mark Zuckerberg told US lawmakers in April that the GDPR in general "is going to be a very positive step for the internet."

The GDPR requires companies to disclose breaches within 72 hours. If it failed to comply in time, Facebook could face a penalty of more than a billion dollars.

"We strongly encourage Facebook to cooperate fully with the Irish Data Protection Commissioner and to provide all the necessary information to the persons affected, in line with EU data protection rules," said Christian Wigand, spokesman of European Commission, in an email statement. 

The Irish Data Protection Commission didn't immediately respond to requests for comment. 

First published on Oct. 16, 2:09 p.m. PT.

Updates on Oct. 17, 6:09 a.m. PT: Adds European Commission spokesman Christian Wigand statement.