Facebook Inc. is facing a new investigation by Ireland’s data privacy regulator over a data breach that left millions of user passwords exposed to the company‘s employees.

The Irish Data Protection Commission began “a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions” of the European Union’s General Data Protection Regulation, Graham Doyle, communications director for the commission, said in an April 25 email.

Ireland is Facebook’s lead EU privacy regulator because its European headquarters is in Dublin.

Companies that violate the GDPR can face fines of up to 4 percent of annual revenue. That could mean billions in fines for large tech companies that fail to follow the comprehensive EU privacy rules.

The social-media giant found millions of user passwords for Facebook Lite—an app for the social media network designed for cheaper phones with slower speeds—stored in a readable format that only employees could view, Pedro Canahuati, the company’s vice president of engineering for security and privacy, said in a March 21 blog post. Facebook found the security flaw, which violated company policies, during a January internal security sweep, Canahuati said.

The Irish privacy office has been investigating Facebook’s internal security issue for several weeks. Many European privacy investigations advance through a fact-finding phase before investigators come to their initial findings.

Facebook didn’t immediately respond to a request for comment on the new investigation.