Instagram has been fined 405 million euros ($402 million) by the Irish Data Protection Commission for violations of the General Data Protection Regulation.

The fine, the second-highest under the GDPR after a 746 million euros penalty against Amazon, is the third for a Meta-owned company handed down by the Irish regulator, reports Politico.

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson was quoted as saying.

Buy Me A Coffee

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults cannot message teens who do not follow them. We engaged fully with the DPC throughout their inquiry, and we are carefully reviewing their final decision,” the spokesperson added.

In an emailed statement, the Irish DPC confirmed the penalty but declined further comment.

The regulator imposed the fine after having to trigger a dispute-resolution mechanism to resolve other European data protection authorities’ input on the penalty.

The penalty, currently the highest for a Meta-owned company — after a 225 million euros fine for WhatsApp and a 17 million euros fine for Facebook — is aimed at Instagram’s violation of children’s privacy, including its publication of kids’ email addresses and phone numbers.

WhatsApp Soon Lets You Dial Numbers to Place Calls Directly from App