DECISION SUMMARY
What happened
On 2 September 2022, the Irish Data Protection Commission announced the conclusion of two related inquiries into Meta Platforms Ireland Limited (then Facebook Ireland Limited), concerning the processing of personal data relating to child users of the Instagram service. The DPC imposed an aggregate administrative fine of €405 million. The inquiries covered the period from 25 May 2018 (the start of GDPR application) to 6 December 2018, and the relevant facts continued to be in force during that period as platform defaults.
The factual core was the visibility of teenage users' contact information. Instagram offered users the option to convert their personal account to a "business account", a feature aimed at influencers, small businesses and public figures who wanted analytics, profile categorisation and a contact button on their profile. The business-account upgrade was available to any user, including users aged 13-17. When a teenager upgraded to a business account, the email address and phone number associated with the account would, by default, be published on the user's public Instagram profile in the contact button. There was no separate consent step warning the user that this would happen, and the default was public visibility rather than profile-owner-only.
The complaint was originally raised by US data-protection researcher David Stier in 2018, who reported that he had identified Instagram profiles of children with published phone numbers and email addresses. The DPC opened the inquiry in September 2020. As lead supervisory authority under Article 56, the DPC ran the inquiry, circulated a draft decision in late 2021, and processed the Article 60 objections from concerned authorities. Six concerned supervisory authorities raised reasoned objections that the DPC could not resolve, and the matter was referred to the EDPB. EDPB Binding Decision 2/2022 (issued 28 July 2022) instructed the DPC to amend its draft, including to apply the upper-end fine amount and to make additional infringement findings.
What the DPC found
The DPC found infringements across seven Articles. Article 5(1)(a) (lawfulness, fairness, transparency) was infringed because the business-account upgrade flow did not clearly explain that contact information would become public, and the fairness of switching a child's contact details from private to public by default was inadequate. Article 5(1)(c) (data minimisation) was infringed because the default public visibility was more than necessary for the platform service. Article 6(1) (lawful basis) was infringed because Meta could not point to an appropriate lawful basis for the public-by-default processing.
Article 12(1) (transparent information) and Article 13(1)(c) and (e) (categories of data and recipients) were infringed because the privacy information provided to child users about the visibility consequence was not in clear and plain language appropriate to child users. Articles 24(1) and 25(1) were infringed because Meta's controller responsibility and data-protection-by-design obligations were not satisfied at the architecture level: the visibility defaults were not configured to reflect by-default-protective settings for child users. Article 35(1) was infringed because Meta had not conducted an adequate DPIA for the processing notwithstanding that it involved systematic monitoring of children at scale. Article 25(2) (data protection by default) was infringed because the most-private setting was not the default.
The Article 25 findings are doctrinally important. The Article 25(2) duty is that a controller, by default, must process only personal data necessary for each specific purpose. The Instagram default was the inverse: it published contact information by default without verifying necessity. The DPC made clear that this inversion of the by-default duty was the central architectural infringement, and that subsequent product fixes by Meta did not retroactively cure the historical processing.
Why the fine was this size
The €405 million figure was the upper end of the range proposed in the DPC draft decision, applied at the instruction of the EDPB. Meta Platforms reported total revenue of approximately US$118 billion for 2021, making the 4% Article 83(5) cap for the relevant undertaking approximately €4.7 billion. The €405 million fine is roughly 0.35% of group revenue.
The aggravating Article 83(2) factors are similar to the TikTok 2023 case: children as the affected data subjects (Recital 38), the systematic and intentional nature of the design choices, the scale of users affected (teenage business-account users across the EU), prior infringements by Meta entities, and the failure of Meta's internal governance to identify the architectural problem before it was reported externally. Mitigating factors plausibly include remediation work undertaken in 2018-2019 (changing the business-account upgrade flow to require explicit consent before publication) and cooperation with the DPC inquiry.
Corrective orders and remediation
The DPC ordered Meta to bring its child-user-affecting processing into compliance with Articles 5, 6, 12, 13, 24, 25 and 35 within three months of the decision date. Meta had already made substantive changes to the business-account upgrade flow in 2019, including switching the visibility default to off and adding an explicit prompt before publication. The corrective order required Meta to confirm and document the architectural fix in writing.
Why the case matters
The Instagram €405 million decision sits at the top of a cluster of Meta-Ireland DPC fines that, taken together, total more than €2.5 billion across 2021-2025. Read alongside the WhatsApp €225 million transparency fine of 2021 and the Meta €390 million contractual-basis fine of January 2023, the Instagram fine establishes that the DPC is willing to apply substantial fines to design and information-architecture problems that affect children, even where the underlying factual harm (publicly visible contact details) was technically permitted by the user's own act of upgrading to a business account.
The decision also illustrates how the EDPB Article 65 mechanism shapes Big Tech outcomes. The DPC's initial draft included an Article 6 finding but proposed a lower fine; the EDPB binding decision instructed the DPC to apply the upper end and to make additional findings. The same pattern recurs in Meta 2023 (€390M contractual basis), WhatsApp 2021 (€225M transparency, raised from €30-50M draft) and Meta 2023 Chapter V (€1.2B, with the additional deletion-or-repatriation order added at EDPB instruction). For Big Tech entities established in Ireland, the Article 65 mechanism is now a structural feature of every significant cross-border inquiry.