The Irish Data Protection Commission has fined Meta-owned social media platform Instagram €405 million for violations of the General Data Protection Regulation.
The fine, which is the second-highest fine under the GDPR after a €746 million penalty against Amazon, is the third for a Meta-owned company handed down by the Irish regulator.
The long-running complaint concerned children's data - particularly their phone numbers and email addresses.
Some reportedly upgraded to business accounts to access analytics tools such as profile visits, without realising this made more of their data public.
Instagram's owner, Meta, said it planned to appeal against the decision. It is the third fine handed to the company by the regulator.
"We adopted our final decision last Friday and it does contain a fine of €405m [£349m],"
Ireland's Data Protection Commissioner (DPC) said.
Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, which showed the users’ phone numbers and email addresses. The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.
Instagram has said that prior to September 2019, it had put user contact details on business accounts and had informed users during the setup process. Under-18s now have their account set to private automatically when they join the platform.
Meta said in a statement to Politico that it updated the public-by-default setting more than a year ago, and that “anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.” The company told the Associated Press that “we disagree with how this fine was calculated and intend to appeal it.”