Gifts for $25 or Less Spotify Wrapped Neuralink Brain Chip Black Hole Burps Light of 1,000 Trillion Suns Stamp Price Increase Streaming Services to Cancel Melatonin Rival Monkeypox Renamed
Want CNET to notify you of price drops and the latest stories?
No, thank you

Facebook breach hit 3 million in EU, putting new privacy law to test

The social network could face a fine of more than a billion dollars if it failed to notify European users within 72 hours.

Facebook CEO Mark Zuckerberg
John Thys / AFP/Getty Images

Facebook may have a run-in with Europe's new privacy law.

The Irish Data Protection Commission said Tuesday that roughly 3 million Facebook users living in Europe were affected by a data breach at the social network in September, according to CNBC

Last week, the social network said hackers stole user information from 29 million people, rather than the 50 million it originally indicated in September. The hackers pilfered the information from user accounts after stealing Facebook's digital keys. The stolen information included names, birth dates, hometowns, workplaces and contact details, such as emails and phone numbers.

Facebook confirmed that it has been working with the IDPC over the past two weeks.

The data breach marks the first major test of Europe's new General Data Protection Regulation, according to CNBC. In May, the privacy law went into effect across the European Union's 28 member states. It affects companies with a digital presence in the EU, such as Facebook, and requires more openness about what data companies have and who they share it with.

Facebook CEO Mark Zuckerberg told US lawmakers in April that the GDPR in general "is going to be a very positive step for the internet."

The GDPR requires companies to disclose breaches within 72 hours. If it failed to comply in time, Facebook could face a penalty of more than a billion dollars.

"We strongly encourage Facebook to cooperate fully with the Irish Data Protection Commissioner and to provide all the necessary information to the persons affected, in line with EU data protection rules," said Christian Wigand, spokesman of European Commission, in an email statement. 

The Irish Data Protection Commission didn't immediately respond to requests for comment. 

First published on Oct. 16, 2:09 p.m. PT.

Updates on Oct. 17, 6:09 a.m. PT: Adds European Commission spokesman Christian Wigand statement.