Ireland's privacy regulator is trying to determine if Facebook broke strict European Union data rules by failing to protect millions of its users' passwords.
On Thursday, the Irish Data Protection Commission announced it opened a "statutory inquiry" into the social media giant.
The regulator said it's investigating whether Facebook "has complied with its obligations under relevant provisions of the GDPR," otherwise known as the EU's General Data Protection Regulation.
The Irish Data Protection Commission is the lead authority for Facebook under the GDPR, which went into effect in May 2018.
And large companies can face pretty hefty fines for breaking GDPR rules. In Facebook's case, CNN says it could be forced to shell out up to $2.2 billion.
The investigation was launched a little more than a month after Facebook admitted it stored hundreds of millions of user passwords in plain text on internal data storage systems.
Facebook said in a statement it will cooperate with the inquiry. But a spokesperson told CNN there isn't any evidence that the passwords were abused or improperly accessed.
Additional reporting from Newsy affiliate CNN.