Ireland has fined Instagram 405 million euro for poor data security practices concerning children.

GDPR, or the General Data Protection Regulation, is a set of regulations in the European Union about protecting the information of individuals using websites, especially social media. A requirement under the GDPR is that the information of minors be especially protected.

In 2020 and before, complaints were filed with the Data Protection Commission concerning Instagram’s practices. The Meta-owned (Facebook, at the time) company defaulted all newly made accounts to public settings, which revealed whatever contact information was used to make the account. Instagram explicitly allowed users as young as 13 to make accounts, but did not distinguish between adults and minors with this default setting. According to the complaints, it also allowed children to make business accounts on the platform, which require all contact information to remain public.

In early September, the data regulator of Ireland issued Instagram a 405 million euro ($403.7 million) fine for the GDPR violation. It is Meta’s third large fine from Ireland in a short time, and their largest. Meta was fined 17 million euro in March for data breach matters on Facebook, and 225 million euro last year over privacy law violations on their messaging app WhatsApp.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision,” said a Meta representative. The decision was based on practices from two years ago. In the past year, Instagram has changed the default setting for minors’ accounts and added a disclaimer to business accounts, with an option to remove personal information.

Ireland’s strict take on the GDPR is inspiring other countries to draw up rules sheltering children’s data, including Australia, Canada, and U.S. states like California.

Photo: Sergei Elagin / Shutterstock