Facebook is to face an investigation by the Irish Data Protection Commissioner (DPC), following the company’s disclosure that a bug may have exposed private photos of up to 6.8 million users. The DPC is the lead regulator of Facebook in the European Union.

Second DPC investigation

The DPC said it was investigating to determine whether the company had complied with strict new EU privacy rules in its response to a number of breaches, including the one that exposed photos. Facebook released a statement that it was in close contact with the Irish regulator and happy to answer any questions. The investigation is the second opened by the DPC into Facebook since the new regulations took effect in May. Facebook disclosed the photo glitch on Friday, saying it allowed some 1,500 software apps to access private photos for 12 days ending September 25. The company explained that typically it only grants such apps access to photos shared on a user’s timeline, but the bug potentially gave developers access to other photos, including ones that were uploaded but not posted, and ones shared on Marketplace and Facebook Stories. In a blog posting, Facebook said ‘we’re sorry this happened.’

More regulation?

The European data law requires companies to report data breaches to authorities within 72 hours, giving regulators authority to impose fines of up to 4 percent of annual global revenue for infractions. Facebook said it would alert users whose photos may have been exposed. The glitch is the latest to raise questions about Facebook’s efforts to assure users and regulators that it is making progress in boosting security and privacy, including the high profile Cambridge Analytica scandal. More reports of bugs and breaches may cause governments to add additional regulations.