Instagram is set to be fined 405 million euros (U.S. $401 million) by Ireland’s data protection regulator for failing to adequately secure teenage users’ data in line with the General Data Protection Regulation (GDPR).
The penalty will be the largest to date handed down by the Irish Data Protection Commission (DPC), the primary European data regulator for the social media giant. It is the third fine in the past year against a subsidiary of Meta, following sanctions of €17 million (then-U.S. $18.6 million) in March against Meta Ireland (formerly Facebook Ireland) and €225 million (then-U.S. $267 million) in September 2021 against WhatsApp.
The Instagram fine will be the second largest imposed under the GDPR, behind a €746 million (U.S. $739 million) penalty weighed against Amazon in Luxembourg last year.
In an emailed statement, a spokesperson for the Irish DPC confirmed it adopted its final decision Friday regarding the Instagram fine. Full details in the case are expected to be published next week.
A spokesperson for Meta said the company intends to appeal the decision.
“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated,” the spokesperson said. “We’re continuing to carefully review the rest of the decision.”
The Irish DPC’s inquiry started in September 2020 following information provided by a third party, although the regulator said it already had concerns about the way the platform processed data. The scope of the investigation concerned two types of processing carried out by Facebook Ireland.
The first issue related to Facebook allowing users between the ages of 13 and 17 to operate “business accounts” on Instagram, which led to their phone numbers and/or email addresses being published widely in certain cases. The second issue concerned the platform’s user registration system, which set the accounts of child users to “public” by default and required a manual change to switch the setting to “private.”
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” the Meta spokesperson said. “Anyone under 18 automatically has their account set to private when they join Instagram so only people they know can see what they post, and adults can’t message teens who don’t follow them.”
Said Andy Burrows, head of child safety online policy at the U.K.’s National Society for the Prevention of Cruelty to Children, “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”
Currently, the Irish DPC has 14 ongoing inquiries into Meta, including Facebook, Instagram, and WhatsApp. Legal and data privacy experts believe the most noteworthy decision from the Irish watchdog will stem from its case involving Facebook and data transfers across the Atlantic.