Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has emerged as the most heavily fined social media company under the European Union’s General Data Protection Regulation (GDPR), according to a new report by cybersecurity firm Surfshark.
The report, which analyzed enforcement actions against the ten most popular social media platforms by monthly active users, reveals that half of them, Facebook, Instagram, TikTok, LinkedIn, and X (formerly Twitter), have collectively been fined €3.9 billion for GDPR violations.
Of that amount, the report shows that Meta’s platforms racked up a staggering €2.7 billion in fines, primarily for violations tied to the misuse of personal data, including that of children.
Meta’s mounting fines
According to the report, Instagram alone was fined €405 million in 2022 after it was discovered that business accounts created by children were set to public by default, exposing sensitive information without proper consent.
Facebook followed with a €251 million penalty in late 2024 due to a data breach that also compromised the personal data of minors.
Combined, these incidents have made Meta the most penalized social media firm under the EU’s strict privacy law.
- Meanwhile, TikTok has also been under intense scrutiny, incurring three fines related to child data misuse, totaling €360 million.
- Violations included failing to provide an understandable privacy policy in Dutch, allowing public account defaults for underage users, and permitting adults to falsely register as guardians without verifying legal authority.
- With the latest fine issued in 2025, TikTok’s total GDPR-related penalties now stand at €890 million.
Other platforms
LinkedIn and X have each received a single GDPR fine of €310 million and €450,000, respectively, while five other major platforms, YouTube, Snapchat, Pinterest, Reddit, and Threads have not been fined at all.
However, experts warn that the absence of fines does not necessarily indicate full compliance.
A data protection lawyer at privacy advocacy group NOYB, Felix Mikolasch, pointed out that GDPR enforcement across Europe remains inconsistent.
“The current enforcement efforts by data protection authorities are rather reactive, sometimes they are non-existent at all,” he said in comments to Surfshark.
- One of the most alarming findings from the report is that a third of all GDPR fines imposed on social media platforms relate to the mishandling of children’s data.
- This reflects growing regulatory concern over how digital platforms handle the privacy of their youngest users.
- The EU’s enforcement of GDPR has intensified in recent years, especially as platforms expand their reach and collect increasing amounts of user data.
- Compared to Surfshark’s previous study from October 2023, the total value of fines has risen by nearly 30%, with four new fines, two to Meta, one to LinkedIn, and one to TikTok added since then.
What you should know
While all these social media platforms are also operating in Nigeria with a high propensity for violation of the Nigeria Data Protection Act, there has not been a major pronouncement of a fine against any.
The National Commissioner of the Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji, recently told Nairametrics that the Commission is adopting a different approach from Europe.
According to him, the Commission’s approach prioritizes remediation rather than fines.
“Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise?
“It’s only when an organization is unwilling to comply with the law that we are forced to impose sanctions,” he said.
He added that the Commission is also putting the nation’s economy into consideration by not making pronouncements that could discourage investments.
