The Data Protection Commission (DPC) has launched an inquiry into the publication online of what has been reported to be the personal data of 533m Facebook users, including many in Ireland.
The information appeared freely available in a low-level hacking forum on April 3 and included phone numbers, names, locations, email addresses and biographical data.
"The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses," the DPC said in a statement on its website.
"The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users' personal data."
As a result, the commission said it considers it appropriate to probe whether Facebook Ireland has complied with its obligations as data controller under the General Data Protection Regulation (GDPR).
These obligations specifically relate to the processing of personal data of Facebook users through Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features, the DPC said.
A spokeswoman for Facebook said the company was cooperating fully with the inquiry "which relates to features that make it easier for people to find and connect with friends on our services."
"These features are common to many apps and we look forward to explaining them and the protections we have put in place," the spokeswoman added.
The social network has previously stated that the data was scraped through a vulnerability that it patched in 2019 after the information was first offered online for a fee and in a difficult to find manner.
However, when it recently re-emerged it did so in a more accessible form and was offered free.
Given the nature of the data, it is thought it could potentially be used by cybercriminals to impersonate people or scam them.
The DPC acts as lead supervisory authority for Facebook across Europe.
Under the GDPR, if a company is found to have breached its obligations, it can be fined up to €20m or 4% of global turnover the previous year.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences