Meta Fined €405 Million by Irish Regulators for Exposing Children’s Data on Instagram

Meta, Instagram’s owner, was recently fined €405 million (£349m) by the Irish Data Protection Commission. The second largest fine ever handed for GDPR violation comes after a two-year investigation. It revealed how Instagram had exposed sensitive personal information of teenagers on their accounts.

The two-year investigation by the Irish Data Protection Commission (DPC) revealed that Instagram had failed to protect sensitive personal information of children below the age of 18 from being exposed publicly – as GDPR requires.

The DPC inquiry found that Instagram allowed children between the age of 13 and 17 to set up and operate business accounts, which publishes their email and phone number. It had also allowed children to set up accounts which were “public” by default. A “public” account means that their “profile and posts can be seen by anyone, on or off Instagram, even if they [the viewers] don’t have an Instagram account.” This put the young users at serious risk.

As a result, the DPC has now confirmed a fine of €405 million, which is the largest amount that Meta has been fined and the second largest fine for a GDPR violation. The largest fine ever levied was for €746 million on Amazon.

Interestingly, this isn’t the first time that Meta has run afoul of GDPR. It was fined €225 million by the Irish regulators, almost exactly a year ago in September 2021, for “severe” and “serious” violations on its other subsidiary, WhatsApp. Those violations had also put sensitive user data in jeopardy.

Meta’s response is that those security issues on Instagram have now been resolved. They also intend to appeal the fine.

“This inquiry focused on old settings,” a Meta representative said, “that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision.”

A Wake-Up Call for Big Tech

There’s growing concern among parents about the effects of social media on their children’s mental health. As well as that, they are also worried about the security risks that the big tech exposes them to. A year ago, Instagram paused work on its Instagram Kids after uproar from parents. Commenting on the violation, Angel Maldonado, CEO of said:  

“Instagram’s GDPR violation around children’s data privacy, raises serious concerns around the ethical standard that big tech companies adhere to. Will Meta only recognise the fragile trade-off between privacy and personalisation through overwhelming scrutiny?  

“It’s time to wake up and name these business models for what they are: abusive, obscene, and wrong. Revealing children’s email addresses and phone numbers may be the tip of the iceberg, but what are the implications for other serious issues such as misinformation, lack of transparency, threats to geopolitics, war and downgraded moral values?  

“Big tech companies like Meta might not intend on these knock-on effects but violations like this cement exactly why consumers don’t feel safe online, whether on social media or ecommerce sites.”