Facebook Could Pay Over a Billion in Fines For 50-Million-User Data Breach

The massive data breach that Facebook announced Friday may end up being a costly one for the company.

The company said that it had found a data breach Tuesday and had been investigating the hack since. An estimated 50 million user accounts were impacted by the breach but Facebook was unsure what information was accessed and whether or not it was misused, according to the blog post the company wrote to announce the breach.

But the hack might end up costing the company more than a billion dollars in fines, The Wall Street Journal reported.

Under the General Data Protection Regulation, or GDPR, rules that went into effect June 1 companies that operated in any country that's part of the European Union had to be compliant with the new security regulations. If an investigation is done into the steps Facebook took to protect its users and it's found that the company failed to appropriately protect users the company could be fined.

That fine is for $23 million or four percent of the company's global revenue for the prior year, a company that breaks the law would be fined with whichever number is higher. In this case, that means Facebook could be charged with a $1.63 billion fine, according to The Wall Street Journal.

Under the new GDPR rules companies also have an obligation to notify a regulatory body when there's a data breach that user or customer information could have been compromised in.

Whether or not Facebook broke that 72-hour rule was unclear. The company said the breach was discovered Tuesday afternoon, it's unclear what time zone "afternoon" is in reference to. The company then notified users via a "Security update" post on its newsroom website Friday with the timestamp 12:41 p.m. EDT. But the company notified the Data Protection Commission in Ireland, the regulator for Facebook's European operations, Thursday, according to The Wall Street Journal.

The report Facebook made to the DPC might not be as detailed as necessary though. The notification the company sends to the regulator has to include a number of details. It has to describe the breach and include the "number of data subjects concerned and the categories and approximate number of personal data records concerned," according to the GDPR law. It also must include information about who should be contacted for further investigation of the issue, describe the consequences of the breach and the measures taken to control the breach.

Whether or not Facebook met these requirements when the breach was discovered is still unclear and will take further investigation from the EU data protection team.

zuckerberg EU
Facebook CEO Mark Zuckerberg arrives at the European Parliament, prior to his audition on the data privacy scandal on May 22, at the European Union headquarters in Brussels. Facebook suffered a data breach this week and could face fines under the new GDPR rules. John Thys/AFP/Getty Images

​​