The Irish Data Protection Commission has fined Meta-owned social media platform Instagram €405 million for violations of the General Data Protection Regulation.
The fine, which is the second-highest fine under the GDPR after a €746 million penalty against Amazon, is the third for a Meta-owned company handed down by the Irish regulator.
In an emailed statement, the Irish DPC confirmed the penalty but declined further comment.
The Irish regulator imposed the fine after having to trigger a dispute-resolution mechanism to resolve other European data protection authorities’ input on the penalty.
The penalty, currently the highest for a Meta-owned company — after a €225 million fine for WhatsApp and a €17 million fine for Facebook — is aimed at Instagram’s violation of children’s privacy, including its publication of kids’ email addresses and phone numbers.
The Irish DPC has at least six other investigations into Meta-owned companies in the pipeline.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson said. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”
This article has been updated to include a comment from Meta.