Irish data watchdog fines Instagram €405m for GDPR violations

5 Sep 2022

Image: © Syifa5610/

The Irish Data Protection Commission has previously fined Meta-owned WhatsApp €225m and Meta €17m for GDPR breaches.

Social media platform Instagram is being fined by €405m by the Irish Data Protection Commission (DPC) for breaching the General Data Protection Regulation (GDPR). The platform is being fined for violating children’s privacy, including its publication of kids’ email addresses and phone numbers in some cases.

This is the third fine issued to a Meta-owned company by the DPC. When contacted for a comment by, a spokesperson for the DPC confirmed that the fine was being issued. They added that full details of the decision will be published next week.

The decision relates to an inquiry that commenced on 21 September 2020 on foot of information provided to the DPC by a third party, and in connection with processing identified by the DPC itself.

The scope of the inquiry concerns two types of processing carried out by Meta in Ireland, then known as Facebook. One relates to allegations that the tech giant allowed children between the ages of 13 and 17 to operate business accounts on the Instagram platform.

The DPC said that the operation of such accounts required and facilitated the publication of the child user’s phone number and email address.

The second type of processing investigated was that Facebook operated a user registration system for the Instagram service whereby the accounts of child users were set to public by default. This meant that the social media content of the child user was made public unless the account was otherwise set to private.

The penalty is the second-highest fine issued under the GDPR after a €746m fine against Amazon. It is the highest for a Meta-owned company. Last September, Meta-owned WhatsApp was fined €225m by the DPC for GDPR breaches. WhatsApp Ireland later had to make changes to its privacy policy after stern warnings from the DPC.

Earlier this year, Meta was fined €17m under GDPR by the DPC. The watchdog has at least six other ongoing investigations into Meta-owned companies in the works.

Meta issued a statement to Politico in response to the news of the fine, claiming that the inquiry that led to the penalty being imposed today focused on old settings that it had “updated over a year ago”.

“We’ve since released many new features to help keep teens safe and their information private,” the Meta spokesperson added. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Blathnaid O’Dea was a Careers reporter at Silicon Republic until 2024.