Irish regulators are slapping Instagram with a big fine after an investigation found the social media platform mishandled teenagers’ personal information in violation of strict European Union data privacy rules.
Ireland’s Data Protection Commission said by email Monday that it made a final decision last week to fine the company 405 million euros ($402 million), though the full details won’t be released until next week.
The penalty is the second-biggest issued under the EU’s stringent privacy rules, after Luxembourg’s regulators fined Amazon 746 million euros last year.
Instagram parent Meta, which also owns Facebook, said that while it had “engaged fully” with regulators throughout the investigation, “we disagree with how this fine was calculated and intend to appeal it.”
The Irish watchdog’s investigation centered on how Instagram displayed the personal details of users ages 13 to 17, including email addresses and phone numbers. The minimum age for Instagram users is 13.
The investigation began after a data scientist found that users, including those under 18, were switching to business accounts and had their contact information displayed on their profiles. Users were apparently doing it to see statistics on how many likes their posts were getting after Instagram started removing the feature from personal accounts in some countries to help with mental health.
Instagram said the inquiry focused on “old settings” that were updated more than a year ago, and it has since released new privacy features for teens, including automatically setting their accounts to private when they join.
“We’re continuing to carefully review the rest of the decision,” the company said.
Under the EU’s data privacy rules, the Irish watchdog is the lead regulator for many U.S. tech companies with European headquarters in Dublin.
The watchdog has a raft of other inquiries into Meta-owned companies. Last year, it fined WhatsApp 225 million euros for breaching rules on transparency about sharing people’s data with other Meta companies.