"It is a question for the management if they have things under control," EU Justice and Consumer Affairs Commissioner Vera Jourova told AFP in Luxembourg.
"The magnitude of the company ... makes it very difficult to manage, but they have to do that because they are harvesting the data and they are making incredible money on using our privacy as the commodity," she added.
Jourova spoke just days after Facebook admitted that up to 50 million user accounts around the world had been breached by hackers, in yet another scandal for the beleaguered social platform.
"I will know more ... in hours or days but according to our knowledge, five million Europeans have been affected out of those 50, which is an incredible number," she said.
Jourova said Facebook's quick revelation of the case demonstrated that new European rules on data protection implemented earlier this year are working.
New EU rules -- the General Data Protection Regulation (GDPR) -- have been billed as the biggest shake-up of privacy regulations since the birth of the web and give European regulators vast new enforcement powers.
The case for GDPR was boosted by another recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.
Jourova said the worst cases involve a company finding a major breach then failing to warn authorities or their users, which she said doesn't appear to be the case in the latest Facebook drama.