Facebook, the beleaguered social media giant that is facing intense scrutiny into its business practices, could be on the hook for a multibillion dollar fine, reported CNN.

According to the report citing the Irish Data Protection Commission, Facebook is under investigation by the regulator over allegations it failed to protect the privacy of its users. It confirmed to CNN late last week that it started a “statutory” inquiry into the social media giant after it received several reports of data breaches. The Irish Data Protection Commission is in charge of making sure companies comply with the new European Genera Data Protection Regulation, which has been in effect since May. The Irish regulator was given the powers to ensure companies are complying with the new stringent data protection law. Facebook has its European headquarters in Dublin, so it is required to alert the Irish Data Protection Commission within 72 hours of any data breach. If companies are found not having complied with the rules of GDPR they can be fined as much as $23 million or 4 percent of annual revenue, whichever is higher, reported CNN. Facebook had revenue of nearly $40 billion last year, which CNN calculated could translate into a fine of as much as $1.6 billion. That’s assuming revenue stays the same next year.

The Irish Data Protection Commission told CNN it launched the inquiry due to several breaches reported to the regulator, including Facebook’s latest disclosure that a bug exposed the photos of millions of Facebook users for twelve days. The problem was discovered by Facebook in September, but it didn’t tell the Irish Data Protection Commission until November 22. According to CNN, Facebook said it reported the incident as soon it was able to ascertain it was breach that needed to be reported. “We are in close contact with the Irish Data Protection Commission and are happy to answer any questions they may have,” a Facebook spokesperson told CNN.