The EU’s massive General Data Protection Regulation (GDPR) will go into effect on May 25, which introduces harsher restrictions on how businesses can use and store the personal data of their customers. This will greatly affect foreign tech companies that operate within the EU, since they cannot use personal data as freely and as lucratively as they used to.

Facebook is one of those companies and it will have to completely change its approach to personal data — at least for their European users — according to a recently published study by researchers at the University Carlos III of Madrid.

The study reveals that Facebook labels over 73 percent of its EU users with interests linked to sensitive personal data, which corresponds to 40 percent of the overall EU population. This means that the data Facebook stores on around 205 million Europeans could possibly be used by third-parties to determine their identities — possibly endangering the users’ privacy and making them vulnerable to phising attacks.

This practice will possibly against the EU’s upcoming law as it includes qualified prohibition of exploration of categories of personal data that can result in privacy risk — such as political orientation, religious beliefs, sexual preferences, etc. Under GDPR, Facebook must get an explicit consent from people to use their data in this manner.

In their conclusion, the researchers — José González Cabañas, Ángel Cuevas, and Rubén Cuevas — state that one of the reasons Facebook keeps a record of its users interests is to improve ad preferences, meaning that the company is “commercially exploiting sensitive personal data for advertising purposes.” Something forbidden by the new GDPR, and punishable with fines equal to four percent of the company’s annual global turnover.

They also encourage the American tech giant to react to the findings of the study and change its approach to personal data as soon as possible:

We illustrate how FB users that have been assigned sensitive ad preferences could face serious privacy risks since the identity of some of them could be unveiled at low-cost through simple phishing-like attacks. The results of our paper urge a quick reaction from Facebook to eliminate from its ad preferences list all those that can be used to infer the politic orientation, sexual orientation, health conditions, religious believes or ethnic origin of a user for two reasons: (i) this will guarantee that Facebook complies with the GDPR, (ii) it will preserve the privacy of the users from attackers that aim to unveil the identity of groups of people linked to (very) sensitive information.

The researchers estimate that personal data could be revealed through their interest data by malicious third-parties for a measly €0.015 per user. That isn’t only a truly worrying thought, it explicitly shows the necessity of proper privacy regulation like GDPR.

For more information, you can read the original study here (PDF).

Update: Previously, the article incorrectly stated that Facebook’s actions were “strictly forbidden” under GDPR, while in reality the company can keep on doing it as long as it obtains explicit consent from users. We thank our observant reader Jennifer Cobbe for pointing this out to us.

Read next: TNW's Big Spam: Show Google your eyeballs