The DPC takes action after the company’s latest data breach.

Background: Facebook disclosed a data breach on 14 December, resulting from a bug which may have exposed private photos of up to 6.8m users. The DPC noted this is not the only breach Facebook has notified since GDPR has come into force.

What’s new: The DPC has now decided to investigate all the breaches it has been been notified since 25 May 2018, to assess Facebook’s compliance with the Regulation. In a blog post, the company explained that typically it only grants certain apps access to photos shared on a user’s timeline, but the bug potentially gave developers access to other photos.

What will happen next? The time frame of the investigation is unclear. The company issued a statement saying it is in close contact with the Irish regulator; however, it is worth noting that the breach announced on Friday dates back to September, which means it took Facebook almost three months to disclose it. Way more than the 72 hours considered to be “no undue delay” under GDPR.