Meta was fined roughly $400 million for breaking European Union data privacy laws for its treatment of children’s data on Instagram, the latest in a series of steps by authorities in Europe and the United States to crack down on what information is collected and shared by companies about young people online.
Ireland’s Data Protection Commission said it decided on Sept. 2 to impose what would be one of the largest fines to date under the General Data Protection Regulation, or G.D.P.R., the four-year-old European data privacy law that has been criticized for being weakly enforced.
Policymakers are attempting to better safeguard children’s data generated on social media, online video games and other internet services. California lawmakers last week passed a law that would require many online services to increase protections for children. Britain passed a similar law last year.
European laws give children’s data special protections. In 2020, Ireland’s Data Protection Commission began investigating Instagram for making the accounts of children aged 13 to 17 set to public by default, and for allowing teenagers with business accounts on Instagram, many of them aspiring influencers, to make public their email addresses and phone numbers.
Graham Doyle, a spokesman for the Irish Data Protection Commission, confirmed that Instagram had been fined 405 million euros, or about $402 million, and said more details about the decision would be released next week. Politico first reported the fine.
Meta said it disagreed with the decision and planned to appeal, setting up what could be a lengthy legal process. The company said the inquiry focused on old settings that were updated over a year ago, and that it has since added several more features to improve the safety of young users.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them,” the company said in an emailed statement.
The fine far exceeds any others to date by Ireland against Meta, reflecting regulators’ broader efforts to address the potentially harmful effect that social media and the internet have on young people.
European policymakers this year adopted additional rules related to children. In a new law called the Digital Services Act, companies are prohibited from using certain data to personalize advertising targeted at people under 18 years old.
Instagram has been under particular scrutiny in Europe and the United States for its policies related to children, including how its recommendation algorithm affects body image and self-esteem. President Biden has called for stronger child protections on social media.
Ireland is at the center of a number of battles related to Meta’s data-collection practices. Because Meta uses Ireland as its European headquarters, the country is tasked with policing the company’s compliance with G.D.P.R., a sweeping law enacted in 2018 to limit how companies collect and share people’s data.
Irish regulators have been criticized for not being more aggressive in enforcing the data protection laws, leading some privacy groups to say the policy has not lived up to its lofty expectations.
Irish officials have said that the cases take time. Last year, regulators fined Meta 225 million euros for violations related to the messaging service WhatsApp. In March, the authorities fined the company 17 million euros over a data breach.
In a separate case, the country has threatened to force Meta to stop moving data from European users to the company’s U.S. data centers. That dispute stems from a court decision that said data from Facebook and Instagram users in Europe was not protected from American surveillance agencies that have legal access to information about international users.