The Irish Data Protection Commission is investigating if the revelation that Facebook left hundreds of millions of passwords exposed in plain text violated the EU’s General Data Protection Regulation (GDPR).
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the watchdog wrote in its Thursday release.
“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.”
Ireland’s Data Protection Commission is the lead authority for Facebook under the EU’s strict data laws, which came into effect in May 2018.
The social network acknowledged in March that an internal investigation found people’s passwords sat readily available to its staffers, leaving them open to potential improper access. Facebook addressed this in an emailed statement Friday.
“We are working with the IDPC on their enquiry. There is no evidence that these internally stored passwords were abused or improperly accessed,” a Facebook spokesperson said in the statement.
The Irish watchdog’s investigation came on the same day the New York attorney general’s office said it would look into Facebook harvesting 1.5 million people’s email contacts without their consent. Canada’s regulator also said it would take the company to court for its privacy missteps.
First published at 4:48 a.m. PT.
Update, 7:17 a.m.: Adds Facebook comment.