Instagram fined €405M in EU over children’s privacy

A fat fine — of €405 million — is headed Instagram’s way after European Union privacy regulators came to a decision on a long-running complaint related to how the social media platform handles children’s data. The penalty is for a breach of the EU’s General Data Protection Regulation (GDPR).

Meta was contacted for comment on the penalty.

We understand the final GDPR decision on the Instagram enquiry was sent to Meta, Instagram’s parent, Friday — ahead of formal publication on the websites of the company’s lead data supervisor in the EU, Ireland’s Data Protection Commission (DPC); and the European Data Protection Board (EDPB), a steering body which helped coordinate a decision-review process involving other interested EU data protection authorities —  however the size of the penalty for Meta appears to have leaked early, via a report in Politico, which contains the fine figure (which shakes out to around $403 million at current currency exchange prices) but no further details of the decision.

Ireland’s DPC confirmed the level of fine to us. Deputy commissioner, Graham Doyle, told TechCrunch: “We adopted our final decision last Friday and it does contain a fine of €405 million. Full details of the decision will publish next week.”

The Instagram penalty is the largest GDPR penalty the social media giant has been hit with to-date (though not the largest ever GDPR fine; that one landed on Amazon) — following a $267 million penalty levied upon the Meta-owned messaging platform WhatsApp last September for violations of the GDPR’s transparency principle.

The Instagram complaint focused on the platform’s processing of children’s data for business accounts and on a user registration system it operated which the DPC found could lead to the accounts of child users being set to “public” by default, unless the user changed the account settings to set it to “private.”

The GDPR contains strong measures requiring privacy by design and default generally — as well provisions aimed at enhancing the protection of children’s information specifically and ensuring that services targeting kids are living up to transparency and accountability principles (such as by providing suitably clear communications that children can understand).

The reasoning underpinning the fine for Instagram is expected to be released in the coming days, when the final decision gets published next week (assuming it doesn’t leak early).

While today’s headlines are going to make painful reading for Meta, TikTok is another social media firm likely to be watching developments closely since it’s under investigation by the DPC over its own handling of children’s data. But that enquiry was only opened by the DPC a year ago so it’s likely to have some time to run before a decision is reached.

The Instagram decision took extra time as other DPAs raised objections to Ireland’s draft decision — triggering a mechanism in the regulation designed to settle disputes which can add many more months to the timeframe.

Ireland’s WhatsApp decision also went through a review process after objections were raised to its draft — and in that case the size of the penalty was substantially raised as a result. But it remains to be seen whether the same has happened here with Instagram.