Facebook could face up to $1.6 billion in fines over data breach as regulators eye formal probe

  • Facebook disclosed that it had discovered a security bug that allowed hackers to access information to around 50 million accounts.
  • The Irish Data Protection Commission said it was looking into whether to open a formal investigation into Facebook.
  • The social network could be fined a maximum of $1.63 billion if it is found to have breached the General Data Protection Regulation (GDPR) in the European Union.

A top European regulator is considering opening a formal investigation into Facebook following a data breach that hit 50 million users and which could land the social network with millions of dollars in fines under strict new rules in the region.

On Friday, Facebook disclosed that it had discovered a security bug that allowed hackers to access information to around 50 million accounts.

Of those 50 million accounts, less than 10 percent are based in the European Union (EU), according to the Irish Data Protection Commission (DPC). Facebook's European subsidiary is headquartered in Ireland, so the Irish DPC is the data watchdog that regulates Facebook.

In a statement to CNBC on Tuesday, the Irish DPC said that it was awaiting "more detailed numbers" and that it was assessing whether to open a formal probe into Facebook.

"Before we would launch any investigation there are steps that would have to be taken in relation to information gathering and preparing the scope of an inquiry. Furthermore, we would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps," a spokesperson for the regulator said.

Facebook did not respond to a request for comment when contacted by CNBC. But it tweeted that it was working with regulators and will release more information about the breach soon.

Potential $1.63 billion fine

The Facebook data breach will be the first major test of Europe's tough data protection laws introduced in May and known as General Data Protection Regulation (GDPR). It regulates any companies that are handling data of EU citizens and puts strong controls on how that information is stored and used.

A big part of GDPR is about data breaches and there's a punishment if companies don't notify regulators about a data breach within 72 hours of it happening. Firms can also be hit with fines if they are found to have not done enough to prevent a data breach or went against any of the principles around the processing of information laid out in GDPR legislation.

Mark Zuckerberg, chief executive officer and founder of Facebook Inc., listens during a joint hearing of the Senate Judiciary and Commerce Committees in Washington, D.C., U.S., on Tuesday, April 10, 2018.
Al Drago | Bloomberg | Getty Images
Mark Zuckerberg, chief executive officer and founder of Facebook Inc., listens during a joint hearing of the Senate Judiciary and Commerce Committees in Washington, D.C., U.S., on Tuesday, April 10, 2018.

The maximum fine Facebook could face is 4 percent of annual global turnover, if it is found to have breached GDPR. Since the social network made over $40.65 billion last year in revenue, that total fine could amount to around $1.63 billion.

But it's worth noting that's the maximum fine and the EU does not have a history of invoking the harshest punishment under law. Facebook also appears to have notified regulators about the breach within the required time.

Vera Jourova, the EU's justice commissioner, said she has been in "close contact" with the Irish DPC, which is "intensively working on this case." She told CNBC's Joumanna Bercetche that GDPR has given the EU a strong way to punish companies who fall afoul of the rules.

"For these cases, I think Europe is… equipped with GDPR because we have very strict rules and we have very strong instruments to discipline the companies which deal and which handle the private data of people, which is obviously the case with Facebook. We are waiting for further information over the next… days," Jourova said Tuesday.

Andrew Dyson, partner at law firm DLA Piper, said that this will be a "test case for how far" the Irish DPC is willing to assert its new regulatory powers.

"Will they be willing and able to take on the might of a Silicon Valley titan? In reality it is likely to take many months before we know. For now, the focus will be on fact finding — understanding what went wrong, who was affected and whether Facebook handled the incident responsibly," Dyson told CNBC by email on Tuesday.

"If the answers are satisfactory then we may hear little more about this (at least from the regulator) but given the profile it seems likely this will run for some time and there will be a desire to send a clear message to the market."

The EU has been cracking down hard on U.S. technology companies. Last year, it fined Google 2.4 billion euros ($2.77 billion) after it said the search engine giant violated antitrust rules with its online shopping practices. The regulators then hit Google with a 4.34 billion euro fine earlier this year, accusing it of abusing its dominant position with its Android mobile operating system.

These were antitrust fines, however, and not under GDPR.

Regulatory scrutiny

Investors are becoming increasingly worried about the regulatory scrutiny being put on social media firms, particularly Facebook.

Scott Kessler, director of equity research at CFRA, said the breach raises questions about the future of the company.

"Although Facebook had $42 billion in cash and short-term investments as of June 2018, we see this recent security problem adding to already significant concerns about the company and its management," Kessler said in a note Monday.

Facebook shares are down nearly 8 percent year-to-date. The data breach is just one of the major issues the company has faced this year. In March, explosive details were revealed on how 87 million Facebook profiles were harvested for data with the information being sent to a a third party called Cambridge Analytica. And last week, Kevin Systrom and Mike Krieger, the co-founders of the Facebook-owned photo-sharing app Instagram, resigned, adding to the challenges faced by the social network.

While Europe has moved first on a major data protection law, politicians in the U.S. have yet to introduce a countrywide piece of legislation. Several technology and telecoms companies, including Amazon and Google, recently appeared in front of lawmakers, saying that they would be happy to support a federal privacy bill.