Facebook's transparency on where the data of its users go has been insufficient, the Data Protection Commissioner (DPC) has said.
DPC Helen Dixon said her office was supervising the changes that had been made by the tech giant following the Cambridge Analytica saga.
Ms Dixon said that the Cambridge Analytica case - which may have had a major political impact - had highlighted a number of issues with the social media site's app development platform up until 2014.
"In fact, it is the case that [there were] many apps that were operational on the Facebook platform up to 2014 where access to friend data in addition to user data was accessed," Ms Dixon said.
Last week, the office of the DPC warned that there would be a high number of Irish Facebook users who have had their data used by apps.
Ms Dixon was speaking at Dublin Data Sec 2018, the second annual data protection conference organised by INM Events.
"We continue our oversight and our supervision of Facebook in terms of the corrective actions they're taking around this app developer platform. And they have announced a series of corrective measures and actions they are taking.
"We are overseeing that actively everyday with them."
Ms Dixon said her office had issued guidelines in recent weeks designed to make Facebook users more aware of the control settings for their data on social media platforms.
But she said Facebook, along with many other organisations, still needed to provide more information on data usage.
"It's necessary that they give transparent and clear information to users of their service, so that they understand the risks of their data being collected and the implications of the different control settings that are made to them," she said.
"Transparency has not been sufficient to date.
"And that's been clear ... from Facebook and from many other companies and in all sectors," she added.
Asked whether Facebook users were aware of how to change their settings, Ms Dixon said there "certainly does seem to be a high level of engagement with the settings, but I think a lot more needs to be done."
The Irish Independent put the comments made by Ms Dixon to Facebook, but no response was forthcoming from the company at the time of going to print.
Commenting at the conference on the general data protection regulation (GDPR) changes which are due to come into effect EU-wide from May 25, Ms Dixon said she was both "excited and terrified".
The EU-wide regime updates and overhauls European data protection law.
All companies and organisations that process the data of EU residents are going to be obliged to comply with the new requirements.
"The GDPR is specifically structured to place responsibility on organisations," Ms Dixon said.
"Organisations now need to know that there will be a way of holding them to account if they do not shoulder responsibility."
On the subject of fines - businesses or organisations face fines of up to €20m or 4pc of annual global turnover for non-compliance with the regulation, whichever is the largest figure - Ms Dixon said they were necessary in order to "grab the attention of industry".