New York CNN Business  — 

Facebook could be facing a multi-billion dollar fine after a European regulator announced Friday that it is launching an investigation into the company over failure to protect user privacy.

The Irish Data Protection Commission, which oversees Facebook’s compliance with European law confirmed to CNN on Friday it launched a “statutory inquiry” into Facebook after receiving multiple reports of data breaches affecting the company.

News of the inquiry came just as Facebook announced that it had exposed photos from up to 6.8 million users. The incident comes after the company announced in September the biggest security breach in its history, in which hackers accessed the personal information of tens of millions of Facebook users.

The inquiry is the result of new powers given to the Irish data regulator as a result of the General Data Protection Regulation (GDPR), a European regulation that came into effect in May.

Because Facebook’s European headquarters is in Dublin, it must under GDPR inform the Irish data regulator within 72 hours of discovering a breach.

Companies found to have run afoul of GDPR could face a maximum fine of $23 million or 4% of their annual worldwide revenue, whichever is higher.

In Facebook’s case, the company had revenue of almost $40 billion in 2017, which means the company could face a fine of up to $1.6 billion if its revenue for 2018 remains roughly the same.

The bug, which involved the exposure of millions of Facebook users’ photos and occurred over a 12-day period, was discovered in September. But Facebook reported the breach to its European regulator two months later, on November 22, according to the company.

Facebook said it filed the report as soon as it had “established it was considered a reportable breach.”

Graham Doyle, the regulator’s head of communications, said the Irish Data Commission launched an inquiry this week stemming from several breach notifications it has received from Facebook.

When Facebook made the announcement of its biggest breach ever in September, the Irish Data Protection Commission expressed concern at the time about the lack of information it said it had received from the company.

“We are in close contact with the Irish Data Protection Commission and are happy to answer any questions they may have,” a Facebook spokesperson told CNN.