Instagram slapped with €405 million GDPR fine over breaches

The Instagram login screen shown on a smartphone held in front of the Instagram logo
(Image credit: Shutterstock)

Instagram has been issued a fine totalling €405 million by the Irish Data Protection Commission (DPC) after the social media platform was found to have violated the General Data Protection Regulation (GDPR).

The decision means Instagram is now the third Meta-owned company to be fined by the Irish regulator for falling foul of the EU’s data rules.

The €405 million penalty is also the largest to be dished out to a Meta-owned business and the second biggest overall, after Luxembourg regulators fined Amazon €746m for GDPR-related breaches last year.

"We adopted our final decision last Friday and it does contain a fine of 405 million euros," the DPC confirmed in a statement, adding that full details will be published “next week”.

The complaint against Instagram focuses on the platform’s processing of children’s data. Back in 2020, the DPC began investigating a setting that allowed users aged between 13-17 to set up business accounts that publicly displayed their phone numbers and email addresses.

The watchdog found that the platform’s user registration system operated in such a way that new accounts would have contact details visibility set to “public” by default – unless the user actively selected “private”.

In a statement issued in response to the fine, Meta said it “engaged fully” with the DPC and is reviewing the outcome.

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private," the spokesperson said.

"Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.”

They added: “We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

The Irish regulator oversees a host of technology behemoths that have their EU headquarters in Ireland - including Google, Apple, and Meta itself.


The trusted data centre and storage infrastructure

Invest in infrastructure modernisation to drive improved outcomes


The firm’s Instagram breach is not the first time it has been issued a fine from the DPC, which acts in accordance with data privacy rules introduced by the EU back in 2018.

Last year, messaging platform WhatsApp was slapped with a €225 million penalty relating to its lack of transparency in how it shared user data with sister platform Facebook. The service was found to have violated Article 14 of GDPR, which states that data controllers must provide data subjects with sufficient information regarding how their data is collected and processed.

Back in March of this year, Facebook itself was also fined €17 million for a series of 12 GDPR breaches that took place between 7 June 2018 and 4 December 2018.

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.