The DPC opened a statutory inquiry into the incident in question in April 2019 under the bloc’s General Data Protection Regulation (GDPR) after Meta, or Facebook as the company was still called back then, notified it that “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.

The security incident is a legal issue in the European Union because the GDPR requires that personal data is appropriately secured.