Ireland's Data Protection Commission (DPC) has issued a fine of €405m ($402.2m) against social media site Instagram following an investigation into its handling of children's data.
The fine was partially based on the fact Instagram had allowed children to run business accounts, which showed the account holder's phone number and email address, thus exposing the minors' data.
Further, as the EU's regulator for several Ireland–based US tech giants, including Meta (Instagram holding company), the DPC fined the social media giant on the basis that the accounts of 13 to 17–year–old users were set to 'public' by default.
"We adopted our final decision last Friday, and it does contain a fine of €405m," a spokesman for Data Protection commissioner Helen Dixon told news outlets. She added that full details behind the investigation and consequent fine would be announced next week.
In response to the fine, a Meta spokesperson said Instagram updated its privacy settings more than a year ago and has since published new features aimed at keeping teens safe and their information private.
The company also reportedly "engaged fully" with the regulator throughout the investigation but disagreed with how the penalty was calculated.
The DPC fine against Instagram is the second–highest fine issued under the General Data Protection Regulation (GDPR), following a €746m ($740.8m) penalty dropped against Amazon in July 2021.
It's not the first one the Irish Watchdog issued against Meta, however. In fact, the Data Protection Commission served a €225m fine to WhatsApp (also a subsidiary of Meta) in September 2021 for failing to discharge GDPR transparency obligations.
More recently, the DPC fined Meta €17m ($19m) in March 2022 over an inquiry into 12 data breach notifications.
Understandably, the history between Meta and the DPC has been quite turbulent over the past couple of years. This, among other factors, caused the social media giant to recently say it "will likely" stop Facebook and Instagram from operating in Europe unless the firm is allowed to deal with Europeans' data on servers based in the United States.