Instagram faces a €405 million ($403 million) fine from the Irish Data Protection Commission for alleged violations of the General Data Protection Regulation (GDPR).
After a two-year investigation into claims Instagram infringed on children's privacy by publishing the email addresses and phone numbers of kids aged 13 to 17, DPC issued the sanction, which was first reported by Politico.
The Irish DPC confirmed the fine in an email to PCMag, and said "full details of the decision" will be released next week.
Meta, however, argued that it's made great strides over the past year and a half toward protecting young people on Instagram. "This inquiry focused on old settings that we updated over a year ago, and we've since released many new features to help keep teens safe and their information private," a company spokesperson said in an emailed statement.
That includes putting its pre-teen social network spinoff on hold, launching more parental supervision tools, and testing fresh ways to verify users' age.
"Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can't message teens who don't follow them," the tech giant continued. "We engaged fully with the DPC throughout their inquiry, and we're carefully reviewing their final decision."
Meta's third GDPR penalty from the Irish regulator is also the second-highest fee under the European Union's regulation—which took effect in 2018 in an effort to boost individuals' control and rights over their personal data. The top spot is currently held by Amazon, which last year incurred a €746 million ($743 million) fine for not complying with EU privacy rules.
Following separate inquiries into GDPR breaches by Meta's other social platforms, the DPC previously imposed fines on WhatsApp (€225 million in 2021) and Facebook (€17 million in March). The Irish DPC has at least six other investigations into Meta-owned companies "in the pipeline," according to Politico.