Facebook under investigation in Europe over massive personal data leak

A formal investigation will aim to establish whether Facebook's handling of the leak constitutes a breach of the GDPR.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read

Facebook has come under fire for not keeping the personal data of users safe.

Jakub Porzycki/NurPhoto via Getty Images

Facebook is under investigation in Europe for a leak that exposed the personal data of more than 530 million global users of its services. The Irish Data Protection Commission, the watchdog responsible for ensuring Facebook abides by European privacy laws, announced on Wednesday that it was opening an inquiry into whether the leak constituted a breach of the General Data Protection Regulation, or GDPR .

Personal information on hundreds of millions of Facebook users, including names, birth dates, email addresses and phone numbers, was discovered on a website for hackers back in January. The data set contains information on 533 million users from 106 countries, according to Business Insider, which first reported on its availability at the beginning of April.

Earlier this month, Facebook said the leak hadn't been caused by its services being hacked, but through the exploitation of a security hole that allowed data to be scraped from the platform. The vulnerability was fixed by Facebook in 2019, the company said.

The aim of the DPC's investigation will be to establish whether Facebook complied with its obligations as the "controller" of users' personal data, the regulator said in a statement. Among these obligations are Facebook's responsibility to inform the correct data protection authority and affected individual users of any data leaks in a timely manner.

"We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services," said a spokeswoman for Facebook in an emailed statement. "These features are common to many apps and we look forward to explaining them and the protections we have put in place."

Facebook doesn't yet appear to have notified any users affected by the leak. If Facebook is found to be in breach of the GDPR, the company can be fined up to 4 percent of its global annual turnover.

To check whether a particular Facebook account was affected, users can search the breach-tracking website Have I Been Pwned?