Instagram has been fined €405m (£349m) for publicly sharing the emails and phone numbers of children who used the photo-sharing app.
Ireland’s data watchdog imposed the fine on the Californian-tech business for violating EU data laws governing online privacy. It's the second largest fine ever levied for breaches of the rules.
Until last summer, Instagram’s services automatically made the email addresses and phone numbers of under-18s who operated business and “creator” accounts public, meaning adults could contact them directly.
The number of affected children was not revealed but is thought to be in the millions given the EU-wide nature of the breach.
The penalty is the largest ever fine imposed on Instagram for breaking the EU’s General Data Protection Regulation (GDPR) and the second largest penalty ever handed out under EU data laws. Only a €746m fine issued to Amazon last year was bigger.
A spokesman for the DPC confirmed the fine and said full details of the decision would be published next week.
The penalty was first reported by the Politico website, which said that Ireland’s DPC has “at least six other investigations” open into companies owned by Instagram’s parent company Meta.
An Instagram spokesman said the penalty was imposed over “old settings that we updated over a year ago,” adding: “We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”
The photo-sharing app changed the default privacy settings for children’s accounts last July after Ireland’s Data Protection Commission (DPC) opened its investigation in 2020.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them,” the Instagram spokesman said.
Baroness Beeban Kidron, who campaigns for tougher regulation of big tech companies, said: “This is an important decision by Helen Dixon, the Irish Data Protection Commissioner. Tech companies should be held accountable for the impact they have on their users – especially those who are more vulnerable, and children most of all.”
Ireland is Meta’s EU headquarters, meaning Irish authorities are responsible for enforcing EU laws governing its local operations.
Separately, Instagram deleted the account of Pornhub over the weekend. Meta did not comment on the decision, which deprived Pornhub of its 13m followers on the site.
Anti-pornography campaigners welcomed the move. Dawn Hawkins, chief executive of the US National Center on Sexual Exploitation, said: “Pornhub shared with its 13 million Instagram followers sexually graphic content, directly promoted pornography, and featured videos like ‘Next Career Goal’ encouraging its audience to become a pornography performer.”
Pornhub, an adult entertainment website, made no public statement about the deletion at the time of writing.
Meta has been fined repeatedly by the DPC for violating GDPR rules. Last year it fined the company, run by Mark Zuckerberg, €225m for breaches on WhatsApp. The fine is under appeal in the Irish courts.
Earlier this year Meta was fined €17m by the DPC after its subsidiary Facebook was found to have failed to prevent a dozen data breaches during 2018.
Meta’s share price remained level on the news of the latest Instagram fine. The Irish Times reported in May that the US-headquartered company has set aside almost €1bn to cover various administrative fines it expects to receive from the DPC.