Instagram has been issued a fine totalling €405 million by the Irish Data Protection Commission (DPC) after the social media platform was found to have violated the General Data Protection Regulation (GDPR).
The decision means Instagram is now the third Meta-owned company to be fined by the Irish regulator for falling foul of the EU’s data rules.
The €405 million penalty is also the largest to be dished out to a Meta-owned business and the second biggest overall, after Luxembourg regulators fined Amazon €746m for GDPR-related breaches last year.
"We adopted our final decision last Friday and it does contain a fine of 405 million euros," the DPC confirmed in a statement, adding that full details will be published “next week”.
The complaint against Instagram focuses on the platform’s processing of children’s data. Back in 2020, the DPC began investigating a setting that allowed users aged between 13-17 to set up business accounts that publicly displayed their phone numbers and email addresses.
The watchdog found that the platform’s user registration system operated in such a way that new accounts would have contact details visibility set to “public” by default – unless the user actively selected “private”.
In a statement issued in response to the fine, Meta said it “engaged fully” with the DPC and is reviewing the outcome.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private," the spokesperson said.
"Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.”
They added: “We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”
The Irish regulator oversees a host of technology behemoths that have their EU headquarters in Ireland - including Google, Apple, and Meta itself.
The trusted data centre and storage infrastructure
Invest in infrastructure modernisation to drive improved outcomes
The firm’s Instagram breach is not the first time it has been issued a fine from the DPC, which acts in accordance with data privacy rules introduced by the EU back in 2018.
Last year, messaging platform WhatsApp was slapped with a €225 million penalty relating to its lack of transparency in how it shared user data with sister platform Facebook. The service was found to have violated Article 14 of GDPR, which states that data controllers must provide data subjects with sufficient information regarding how their data is collected and processed.
Back in March of this year, Facebook itself was also fined €17 million for a series of 12 GDPR breaches that took place between 7 June 2018 and 4 December 2018.
