The social media networking site Instagram has been hit with a record-breaking fine for breaching children’s data privacy by the way its users under the age of 18 were able to operate their accounts.

Following an extensive investigation, which began in 2020, Ireland’s Data Protection Commissioner announced a final decision was reached last Friday (3^rd September), confirming the fine of €405million – the largest penalty handed out by the regulator.

Instagram, owned by Meta Platforms Inc, came under fire as a result of the platform’s former user settings, which allowed phone numbers and email addresses of individuals to be automatically visible to the public when users switched to a ‘business’ account. This was able to be actioned by any account – meaning users under the age of 18 had personal data available in the public domain if they were to switch account set ups. 

Andy Burrows, Child-Safety-Online Policy Head at National Society for the Prevention of Cruelty to Children (NSPCC) said: “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram,”.

This enforcement action is not the first to be issued by the Data Protection Commission (DPC) to Meta, having fined Instagram’s sister company WhatsApp €225million last year. The DPC regulates large technology companies with European Headquarters in the Republic of Ireland and had issued another fine to Meta earlier this year, which at the time of investigation was trading as Facebook Ireland, making this most recent decision the third fine in two years.

“This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to keep teens safe and their information private,” A Meta official told the BBC.

This is the largest fine issued by the DPC for a breach of the EU GDPR and, whilst Meta is intending to appeal the decision, will undoubtedly not be the last.