Ireland's data protection authority launched an investigation into Facebook Wednesday, bringing stringent new European privacy laws to bear on the tech titan after a security breach exposed 50 million accounts.
The move comes after the social media firm admitted to the data breach in a blog post last Friday, saying attackers exploited a vulnerability in the website's code in September in a way that could have given them access to people's accounts.
"The Irish Data Protection Commission (DPC) has today, October 3, 2018, commenced an investigation... into the Facebook data breach," a DPC spokesman said in a statement.
"In particular, the investigation will examine Facebook's compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes."
The Irish probe has been touted as the first major test of the reformed European regulation which came into effect in May.
GDPR gives regulators sweeping powers to sanction organizations which fail to adhere to heightened standards of security when processing personal data.
Firms can be fined up to 4 percent of annual global turnover if they fail to abide by the rules – meaning Facebook faces a theoretical fine of 1.4 billion euros (1.6 billion US dollars), based on its 2017 annual revenue of 35.2 billion euros (40.6 billion US dollars).
But on Tuesday the EU's top data privacy official said the social media giant was unlikely to face the maximum penalty because it had adhered to rules requiring notification of the data breach within 72 hours.
This "is one of the factors which might result in lower sanctions," EU Justice and Consumer Affairs Commissioner Vera Jourova told AFP in Luxembourg.
"But this is only theoretical," she added.
"We have been in close contact with the Irish Data Protection Commission since we have become aware of the security attack and will continue to cooperate with their investigation," Facebook said in a statement.
In its post on Friday, Facebook said the data breach happened on September 25.
"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts," VP of Product Management Guy Rosen wrote.
"We have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based."
On Monday, Ireland's DPC said staff believe that of the total profiles potentially impacted, less than 10 percent are EU accounts.
Facebook, which has established its international headquarters in Ireland, is already suffering from a tainted reputation on data security following the Cambridge Analytica (CA) scandal.
In that case, tens of millions of users had their personal data hijacked by CA, a political firm working for Donald Trump in 2016.