Ireland warned Facebook in 2011 of grave risks to users' data
Facebook was warned that its users were at risk two years before the data of 50 million people was accessed by a controversial political firm.
In 2011, the social media giant's European regulator cautioned that it was failing to ensure that data was protected when passed to third-party software developers.
The Irish Data Protection Commissioner (DPC) initially warned Facebook of this oversight in December 2011, claiming that it could not "assure users of the security of their data".
Facebook has its European base in Ireland, making its Dublin subsidiary responsible for the handling of all users' data in Europe. The DPC its most powerful regulator outside the US.
Facebook responded with minor changes to the way users were notified about how apps were gathering data - but did not fully block the practice for another four years.
The discovery of the warning raises new questions about why Facebook did not take action sooner to protect users' private information.
In 2013, two years after the warning, Aleksandr Kogan, a Cambridge professor, used a personality quiz on Facebook to obtain data from 50 million users without their knowledge.
Prof Kogan then allegedly passed the data to Cambridge Analytica, in violation of Facebook's rules and without the company knowing.
The latest disclosure comes after a whistleblower raised concerns that millions more users may have had their data compromised. Sandy Parakilas, a former Facebook manager, last week said the company had no way of knowing if data was misused once it had been accessed by third-party apps and would take the apps "at their word". He said "personal identifiable data was basically allowed to leave Facebook".
In the audit of Facebook Ireland's data protection practices, the DPC said: "We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data.
"We do note... the proactive monitoring and action against apps which breach platform policies. However, this is not considered sufficient to assure the security of data once users have third-party apps enabled."
Amid growing concerns that the data obtained by Cambridge Analytica may simply be the tip of the iceberg, Facebook announced an investigation into whether others might have used the same techniques to obtain data.
Mark Zuckerberg, the 33-year-old Facebook founder and chief executive, said the company would audit any app that displayed "suspicious activity" to see if information had been stolen.
Zuckerberg has been invited by the European Parliament to speak following the recent revelations. The Parliament and the European Commission have already called for an urgent investigation into the scandal.
A Facebook spokesman said: "Third-party apps built on Facebook was the subject of detailed examination... by the Irish Data Protection Commissioner in 2011-2012. In September 2012, they acknowledged the progress we had made and in 2014 we announced we were changing the entire platform."