*By Conor White* Facebook is staring down the barrel of what may be the biggest fine ever imposed for a privacy violation. But regulators still need to prove the company acted in bad faith, and that may be easier said than done, said POLITICO's chief tech correspondent Mark Scott. "At the moment, Facebook has followed the letter of the law," Scott said Wednesday in an interview on Cheddar. "They'd only be fined that amount if they were proven to really mishandle people's data." Ireland's data protection authority on Wednesday launched a formal investigation into Facebook's ($FB) latest data breach, which reportedly affected at least 50 million users. It is the largest hack in the company's 14-year history. Three software flaws allowed hackers to break into user accounts, gaining access to all the third-party apps user signed into with their Facebook logins ー popular platforms like Spotify ($SPOT), IAC-owned ($IAC) dating app Tinder, and Instagram, to name a few. Data points like user names, hometowns, and genders were also exposed, the company said. Under the guidelines of Europe's new General Data Protection Rule (GDPR), Facebook could be forced to pay as much as 4 percent of its global revenue, roughly $1.6 billion. The company said it has since fixed the problem and forced 90 million users to re-sign into their accounts. Still, Scott said this breach is the last thing Facebook needs. "This doesn't really come at a good time for Facebook with the Cambridge Analytica scandal in the recent past ー plus the U.S. midterms coming up," he said, pointing out the company has come under fire for not preventing bad actors from meddling with the platform during recent elections. "Facebook can double-down on the privacy specialists, and it has done a pretty good job, but in the end this is not good news for Facebook as it tries to rebuild trust with consumers." Before the GDPR, the company might've had more time to assess its options, but the social media giant is now required by law to inform regulators within 72 hours of a breach's discovery. While privacy issues are taken more seriously in the European Union, Scott said that the latest developments may have forced Americans to take a closer look at how ー and with whom ー they're sharing their information. "The privacy debate pre-Cambridge Analytica was kind of philosophical," Scott said. "But now with Facebook, and maybe the Equifax scandal in the past, the American population has kind of woken up to the fact that maybe they should be paying more attention to this." For full interview [click here](https://cheddar.com/videos/europes-gdpr-gets-first-real-test-with-latest-facebook-breach).
