Meta Platforms has been fined €405 million (R6.9 billion) by Ireland’s Data Protection Commission (DPC) over how it handles teenagers’ data, The Verge reports.

The ruling and fine were finalised on Friday, 2 September 2022, after a two-year investigation into how Meta had breached General Data Protection Regulation (GDPR) rules.

The regulator determined that the company breached GDPR rules in two ways.

First, it allowed 13- to 17-year-old youngsters to create Instagram business accounts, making their contact information available to the public.

It is alleged that Instagram also made some young users’ accounts public by default.

This is the largest fine that the DPS has imposed on Facebook, which became Meta Platforms last year.

It was fined €225 million (R3.8 billion) in September 2021 for failing to be transparent about how it handled personal information on WhatsApp.

At the time, the DPC said it found violations in the way WhatsApp explained how it processed user and non-user data, and how Facebook shared data between WhatsApp and its other companies.

Facebook was ordered to change its privacy policy, and a WhatsApp spokesperson said the company planned to appeal the decision.

The Verge reported that Meta also received a much smaller fine of €17 million (R290 million) in March 2022 for record-keeping issues around security breaches.

“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” a Meta spokesperson said at the time.

“We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”