European regulators on Thursday said they are investigating whether Facebook violated the European Union's privacy laws, which are much stricter than those in the U.S.
"The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers," Ireland's Data Protection Commission (DPC) said in a statement. "We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the [General Data Protection Regulation]."
It is at least the 11th probe by European regulators into Facebook's violations of the EU's General Data Protection Regulation 2016/679 (GDPR), which was implemented nearly one year ago.
The news comes one day after the company revealed in its earnings report that it set aside $3 billion to $5 billion to pay an expected fine from the U.S. Federal Trade Commission over privacy violations. No public statement or settlement has yet been announced by the FTC and it is an unusual move for a company to pre-emptively assume what it would be fined by regulators.
Because Facebook and other tech giants have their international headquarters in Ireland, the Irish DPC is the company's lead privacy regulator for Europe.
In March, the company announced that it stored hundreds of millions of user passwords in plain text -- able to be read by employees -- on internal servers. Then on April 18, the company quietly updated its initial blog post, announcing that the number of users who had their passwords stored in plain text without encryption was much higher than previously reported, affecting millions more Instagram users. The picture-sharing service is owned by Facebook.
Facebook did not immediately respond to a request for comment on the probe.
Separately, on Thursday, Canadian regulators announced that they had found "major shortcomings" in Facebook's privacy practices after investigating the Cambridge Analytica story, and said they would take the tech giant to court to try to force the company to change its privacy practices.
Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to the personal data of millions of Facebook users. Regulators estimate that more than half a million Canadians may have been affected.
"Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found," a statement from the Office of the Privacy Commissioner of Canada said.
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” Privacy Commissioner Daniel Therrien said in the statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection."
The Canadian watchdog said that it had investigated Facebook for the "overly broad" permissions it had gotten from users to share their personal information with third-party apps, and for not protecting users properly.
If Facebook had implemented recommendations from a 2009 investigation by the Privacy Commissioner's Office, "the risk of unauthorized access and use of Canadians' personal information by third party apps could have been avoided or significantly mitigated," the statement continued.
Canadian authorities began their investigation last year in the wake of the Cambridge Analytica scandal, in which a political firm improperly accessed the personal information of 87 million users without their knowledge.
Facebook Canada spokeswoman Erin Taylor said the company was disappointed Therrien considers the issues unresolved.
“There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information,” Taylor said. “We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps toward tackling a number of issues raised in the report.”