Facebook could face a sizable fine due to the E.U.'s General Data Protection Regulation.
The Facebook security flaw that exposed personal information to an unknown attacker affected 3 million people in Europe, where companies face potentially steep fines for privacy violations, an Irish official said on Tuesday.
Some 30 million people worldwide had their Facebook data exposed bythe flaw, which allowed attackers to steal Facebook "access tokens," the digital equivalent of keys. Facebook announced last week that an unnamed party then used the tokens to see personal information about users.
For 14 million of the worldwide users, the attackers accessed data such as gender, birth date, work, location check-ins, pages they follow and their 15 most recent searches, Facebook said.
Graham Doyle, head of communications for the Ireland Data Protection Commission, said that 3 million Europeans were among those affected. CNBC first reported the figure. Facebook has its European headquarters in Ireland.
Doyle said the commission did not know yet what data of the 3 million Europeans had been exposed, but that the commission was investigating.
Facebook did not immediately respond to a request for comment.
In April, a new data privacy lawtook effect in Europe that enables the region's data protection authorities to fine companies up to 4 percent of their global revenue if they fail to protect user information. Facebook's revenue last year was $40.7 billion, so its maximum fine under the law would be $1.6 billion.
The law, known as the General Data Protection Regulation, says that the amount of a fine will depend in part on the "nature, gravity and duration of the infringement" and the "number of data subjects affected."