European regulators on Thursday said they are investigating whether Facebook violated the European Union’s privacy laws, which are much stricter than those in the U.S.
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” Ireland’s Data Protection Commission (DPC) said in a statement. “We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the [General Data Protection Regulation].”
It is at least the 11th probe by European regulators into Facebook’s violations of the EU’s General Data Protection Regulation 2016/679 (GDPR), which was implemented nearly one year ago.
The news comes one day after the company revealed in its earnings report that it set aside $3 billion to $5 billion to pay an expected fine from the U.S. Federal Trade Commission over privacy violations. No public statement or settlement has yet been announced by the FTC and it is an unusual move for a company to pre-emptively assume what it would be fined by regulators.
Because Facebook and other tech giants have their international headquarters in Ireland, the Irish DPC is the company’s lead privacy regulator for Europe.
Separately, on Thursday, Canadian regulators announced that they had found “major shortcomings” in Facebook’s privacy practices after investigating the Cambridge Analytica story, and said they would take the tech giant to court to try to force the company to change its privacy practices.
Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to the personal data of millions of Facebook users. Regulators estimate that more than half a million Canadians may have been affected.
“Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found,” a statement from the Office of the Privacy Commissioner of Canada said.
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” Privacy Commissioner Daniel Therrien said in the statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”
If Facebook had implemented recommendations from a 2009 investigation by the Privacy Commissioner’s Office, “the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated,” the statement continued.
Canadian authorities began their investigation last year in the wake of the Cambridge Analytica scandal, in which a political firm improperly accessed the personal information of 87 million users without their knowledge.
Facebook Canada spokeswoman Erin Taylor said the company was disappointed Therrien considers the issues unresolved.
“There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information,” Taylor said. “We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps toward tackling a number of issues raised in the report.”