The European Union’s (EU) new General Data Protection Regulation (GDPR) may see Facebook facing record fines for its latest data breach scandal.

More than 50 million Facebook users were affected by a recent security breach that was reported on Friday, September 28, 2018. Ireland's Data Protection Commission (DPC) is reportedly investigating this data breach and is demanding that the Silicon Valley-based company divulge more information regarding the scope and nature of the attack.

Facebook may face fines up to $1.63 billion according to the Wall Street Journal, who reported that the company may have violated the EU’s General Data Protection Regulation (GDPR). The GDPR protects consumers’ data and privacy and has the power to fine firms who fail to safeguard data correctly.

Facebook’s hack represents the first test for GDPR
Facebook’s data breach will be the first major test of the GDPR, which was introduced in May of this year. These new privacy laws were designed to protect the user data of EU citizens. According to GDPR rules, firms that fail to protect user data can face fines of up to €20 million ($23 million), or four percent of their global annual revenue from the previous year, whichever amount is greater. Firms have 72 hours to report any breach to the regulators or face a maximum fine of two percent of their global revenue. For Facebook, this would give a maximum possible fine of $1.63 billion.

Facebook unlikely to be hit by punitive GDPR fines
The GDPR has generated widespread publicity and discussion over the past year, prompting the Information Commissioner's Office (ICO) to publish an official guide to the GDPR on their website. This guide makes clear that fines only apply if the EU’s commission decides that a company didn’t do enough to try and protect its users’ data. Severe fines are reserved for firms that deliberately and repeatedly engage in noncompliance, something that clearly doesn’t apply to Facebook.

According to Facebook’s own transcript, the DPC was notified of the data breach on September 28, a fact that the DPC has acknowledged. This puts Facebook well within the 72-hour deadline for notifying the DPC of the breach. While the DPC has complained that the report lacked ‘detail’, the ICO’s own guide to the GDPR clearly states that it isn’t necessary for firms to include all details about security breaches in their 72-hour reports.

More than 90 million Facebook users affected by latest breach
In the latest attack, hackers exploited a feature called ‘View As’ that lets users see how their profile appears to others. According to CEO Mark Zuckerberg, whose own account was affected in the attack, the vulnerability was quickly patched and all of the almost 50 million affected accounts were automatically logged out. As a precautionary step, Facebook suspended the ‘View As’ feature and reset access tokens for an additional 40 million accounts. All users have to do is log back in.