Facebook’s current turmoil over user privacy stem in part to a six-year-old pact with the Federal Trade Commission that the agency now says may have been violated.

Facebook shares FB, -1.73% have been hit hard — including another 5% drop on Monday — since a former insider for Cambridge Analytica, the research firm used during the Trump presidential campaign, said data was obtained on millions of users without their consent by getting the information from an academic researcher.

The FTC on Monday confirmed it was investigating Facebook’s practices, and the statement from Tom Pahl, acting director of the FTC’s bureau of consumer protection, alluded to the previous settlement with the internet giant. “Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” Pahl said.

That’s a reference to a Nov. 2011 settlement the FTC had with Facebook, alleging the social media site had failed to protect users’ privacy by not disclosing how it was using their data. Under the settlement Facebook was required to obtain outside assessments every two years for the next 20 years to prove it had fixed the violations and hadn’t repeated them.

Read:Facebook CEO Zuckerberg’s apology tour — too little, too late

Consumer watchdog group the Electronic Privacy Information Center obtained Facebook’s initial 2012 initial compliance report and the first assessment prepared by the independent auditor in 2013 through an earlier FOIA request. EPIC also is seeking the 2015 and 2017 compliance reports and independent assessments, which would cover the period for the data transfers to Cambridge Analytica.

PricewaterhouseCoopers, the global accounting firm, was picked to be Facebook’s independent privacy auditor.

The PwC report is a specialized “attestation” engagement, a non-financial audit, that includes PwC’s opinion on Facebook’s privacy controls. In 2013, PwC said that the controls were, after Facebook’s fixes in response to the enforcement action, “operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information.”

Michael Corey, who leads PwC’s U.S. cybersecurity and privacy assurance practice did not respond to a request for comment sent via PwC’s website.

In this case, PwC conducted its assessment based on Generally Accepted Privacy Principles or GAPP, a voluntary standard developed by the AICPA, the accounting industry’s trade association.

Robert Gellman, a privacy consultant, told MarketWatch, said that the GAPP is out of date. “There’s nothing there about cloud computing. There’s not enough about international jurisdictional issues, artificial intelligence, or transborder data flows.”

The issue of third-party access, specifically by academic researchers who may sell or transfer data later, is not covered in depth as of 2013 based on what can be viewed in the portion of the report that is not redacted. PwC’s 2013 assessment says that it did examine Facebook’s policy regarding third-party developers: “Facebook discloses personal information to third-party developers only for the purposes in the notice and with the implicit or explicit consent of the individual.”

PwC makes it clear in the initial assessment report that Facebook is the one responsible for the assertions it will test. “Our responsibility is to express an opinion based on our examination.” That examination consists of reviewing, on a test basis, “evidence supporting the effectiveness of the Facebook Privacy Program” and “performing such other procedures as we considered necessary.

PwC makes it very clear it did not examine nor is it responsible for Facebook’s interpretation or compliance with information security or privacy-related laws, statutes or regulations or Facebook’s interpretation of those laws, regulation or voluntary frameworks.

Penalties for violating the FTC agreement can go as high as $40,000 per day per violation.

“We take any allegations of violations of our consent decrees very seriously as we did in 2012 in a privacy case involving Google,” an FTC spokeswoman told MarketWatch.

A spokeswoman for Facebook did not respond to a request for comment.

Facebook’s deputy general counsel, Paul Grewal, pinned the blame for the unauthorized access on Cambridge Analytica, which it suspended, as well as the academic researcher, Dr. Aleksandr Kogan.

Approximately 270,000 people willingly downloaded a personality prediction test. But that app also allowed Kogan to access information on all their friends who had privacy settings set to allow that, according to Facebook.

Grewal posted on the site that although Kogan “gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time” he subsequently broke Facebook rules. “By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies,” wrote Grewal.

Grewal says that when Facebook learned of this violation in 2015, they removed his app from Facebook and demanded certifications from him and all parties he had given data to that the information had been destroyed which Cambridge Analytica, Kogan and Wylie provided.

But Grewal also says that now Facebook has discovered that “contrary to the certifications we were given, not all data was deleted.”

Read:The cult of Facebook

See also: Elon Musk appears to have joined #DeleteFacebook