The Republic of Ireland’s Data Protection Commission (DPC) formally opened an investigation to identify if Facebook breached EU General Data protection Regulation (GDPR), following a security hack which affected 50 million user accounts.

DPC, which is Facebook’s lead regulator in European Union, confirmed in a statement it is investigating the breach, which was disclosed by the social media giant last week.

The watchdog said its investigation will examine Facebook’s compliance with its obligation under GDPR “to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes”.

Facebook revealed hackers had exposed a security vulnerability which left 50 million users open to having their accounts taken over: the company reset the security credentials on a total of 90 million accounts (40 million of which were adjusted as a precaution) and informed law enforcement agencies.

EU GDPR rules came into force in May 2018 and could see Facebook hit with fines of up to 4 per cent of global revenue if found guilty of breaking privacy laws. The Wall Street Journal previously estimated the fine could amount to around $1.6 billion.

The new regulation requires companies to disclose breaches within 72 hours of discovery, or face steep penalties if they do not adhere to the rules. The latest Facebook hack existed in July 2017, but it was only identified on 25 September, before being publicly declared three days later.

Reuters said DPC regulates a number of US multinationals with European headquarters based in Dublin.

Facebook reportedly told the watchdog it is also conducting its own review into the recent issues and taking steps to mitigate future risks to users.

Earlier this week, the company confirmed the hack did not extend to its other platforms including WhatsApp and Instagram.