The maximum fine Facebook could face is 4 percent of annual global turnover, if it is found to have breached GDPR. Since the social network made over $40.65 billion last year in revenue, that total fine could amount to around $1.63 billion.
But it's worth noting that's the maximum fine and the EU does not have a history of invoking the harshest punishment under law. Facebook also appears to have notified regulators about the breach within the required time.
Vera Jourova, the EU's justice commissioner, said she has been in "close contact" with the Irish DPC, which is "intensively working on this case." She told CNBC's Joumanna Bercetche that GDPR has given the EU a strong way to punish companies who fall afoul of the rules.
"For these cases, I think Europe is… equipped with GDPR because we have very strict rules and we have very strong instruments to discipline the companies which deal and which handle the private data of people, which is obviously the case with Facebook. We are waiting for further information over the next… days," Jourova said Tuesday.
Andrew Dyson, partner at law firm DLA Piper, said that this will be a "test case for how far" the Irish DPC is willing to assert its new regulatory powers.
"Will they be willing and able to take on the might of a Silicon Valley titan? In reality it is likely to take many months before we know. For now, the focus will be on fact finding — understanding what went wrong, who was affected and whether Facebook handled the incident responsibly," Dyson told CNBC by email on Tuesday.
"If the answers are satisfactory then we may hear little more about this (at least from the regulator) but given the profile it seems likely this will run for some time and there will be a desire to send a clear message to the market."
The EU has been cracking down hard on U.S. technology companies. Last year, it fined Google 2.4 billion euros ($2.77 billion) after it said the search engine giant violated antitrust rules with its online shopping practices. The regulators then hit Google with a 4.34 billion euro fine earlier this year, accusing it of abusing its dominant position with its Android mobile operating system.
These were antitrust fines, however, and not under GDPR.