Speaking to newspaper The Sun, Gareth Pope, head of group litigation at law company Slater and Gordon, said that anyone who had been hacked, who is resident in, or a citizen of the EU, could potentially claim damages of around $6,000 - $9,000.
GDPR includes provision for people whose data has been leaked by a company or organization, to claim compensation for that loss.
Under Article 82 of GDRP, anyone can claim for material or non-material damage, meaning users don't have to show a financial loss, but just that the incident caused them distress.
Pope noted that any legal action would likely be quite complex, and costly to get started, but that in the case of Facebook there does seem to have been a failure to secure data.
He added that a group action against Facebook, backed with insurance to cover costs in case of a loss would be the most prudent approach to suing Facebook, although no such actions have happened so far.