Data breach affected 2.7 million people in EU, says Facebook

"Facebook confirmed to us that the data of overall up to 2.7 million Europeans – or people in the EU, to be more precise – may have been improperly shared with Cambridge Analytica," commission spokesman Christian Wigand told press on Friday (6 April).

Earlier this week, Facebook gave an estimate of the worldwide maximum number of affected accounts, with CEO Mark Zuckerberg stressing in a conference call that the actual number may be lower, but not higher.

Facebook said in a blog post published Wednesday that of the 87 million people affected, over 80 percent were Americans.

The blog post only revealed the ten most affected countries, including the UK, where data from 1,079,031 people was said to be possibly compromised. Cambridge Analytica has been accused of being involved in duping UK voters into voting leave in the 2016 referendum on EU membership.

The US company did inform national media in the EU of the number of affected people there – such as a maximum of 309,815 users in Germany and up to 214,123 in Italy – but had not given an overall figure for all 28 EU member states.

Facebook gave the commission the figure in a letter sent on Thursday evening, in response to one sent by EU consumer affairs commissioner Vera Jourova last week.

In the letter, the company also told the EU what steps it has taken to improve security of its service.

"We will study the letter in more detail but it is already clear that this will need further follow-up discussions with Facebook on implemented changes, also in the context of the … upcoming new European data protection rules, and the broader questions on the democratic process," said commission spokesman Wigand.

On 25 May, the far-reaching European general data protection regulation will come into force, giving new privacy rights to every EU citizen.

Wigand added that Jourova has an appointment for a phone call with Facebook's chief operating officer Sheryl Sandberg (who wrote the letter) next week, "to continue this discussion".

Also next week, the EU's national data protection authorities will meet to discuss the breach.

While there are common EU rules on data protection, enforcement is still for a large part done at national level.

"A strong coordinated approach of the EU data protection authorities in the investigations is now crucial," said Wigand.

According to the Internet World Stats website, there were around 250 million Facebook users in the EU in mid-2017 – around half of the entire population.

In the worst case scenario that all 2.7 million identified by Facebook as potentially affected, were indeed affected, that would amount to one percent of EU users.