Ireland’s data protection regulator has issued a fine of 405 million euros, or about $402 million, to Meta Platforms Inc. after determining that Instagram had failed to comply with the GDPR privacy law.

The fine was reported by Politico today. Ireland’s data protection regulator, the Irish Data Protection Commission, confirmed the news in a statement following the report. The DPC intends to release the full details of its decision next week.

DPC officials issued the $402 million fine to Meta after determining that Instagram had failed to comply with the part of the GDPR privacy law focused on children’s privacy. According to Reuters, Meta allowed children between the ages of 13 and 17 to create business accounts on Instagram. Those business accounts’ settings reportedly facilitated the publication of users’ phone numbers and email addresses.

The DPC first started investigating the matter in 2020 and, ahead of the $402 million fine announced today, issued a draft decision. That draft decision reportedly wasn’t immediately accepted by other data protection regulators in the European Union. As a result, the DPC launched a so-called dispute-resolution process through which it collected input on the investigation from multiple other EU regulatory agencies.

Meta reportedly intends to appeal the decision.

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” Meta told Politico in a statement. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.”

DPC is responsible for carrying out GDPR investigations related to Meta because the social network’s EU headquarters is located in Ireland. The fine detailed today is the third that the DPC has issued to Meta since GDPR was implemented. 

Previously, the regulator fined the company $18.7 million in March over GDPR violations related to Facebook’s cybersecurity controls. Earlier, Meta received a $267 million penalty after the DPC found that WhatsApp unit’s privacy practices had fallen short of regulatory requirements. DPC officials determined that WhatsApp failed to provide users with sufficient information on how it collects and processes their data.

Meta’s privacy practices have also faced scrutiny in the U.S. Last month, the company offered to pay $37.5 million to settle a lawsuit accusing it of collecting consumers’ location data without permission. In February, Meta paid $90 million to settle another lawsuit focused on its data collection practices.

Photo: Unsplash