Meta Platforms, owner of Facebook, Instagram, and WhatsApp, has been fined more than any other social media company under Europe’s General Data Protection Regulation (GDPR), accumulating €2.7 billion in penalties for violating data protection laws, particularly those concerning children.
A detailed review by cybersecurity firm Surfshark reveals that five major social media platforms, Meta’s Facebook and Instagram, TikTok, LinkedIn, and X (formerly Twitter), have together gotten fines amounting to €3.9 billion. Meta alone is responsible for nearly 70% of that figure.
The most eye-opening fine came in 2022, when Instagram was ordered to pay €405 million. The offence? Automatically setting business accounts created by children to public, exposing sensitive information without consent.
Then came another blow in late 2024, Facebook was fined €251 million following a data breach that compromised the personal data of minors. These incidents make Meta the most penalised company under the GDPR framework.
TikTok hasn’t escaped this either. Its failure to properly handle children’s data has led to three separate fines, with the most recent one issued this year.
Together, these penalties total €890 million. The platform allowed underage accounts to default to public failed to provide privacy policies in local languages like Dutch, and permitted adults to falsely register as legal guardians, without verifying their authority to do so.
LinkedIn and X have each received single fines, €310 million and €450,000 respectively. Platforms like YouTube, Snapchat, Pinterest, Reddit, and Threads have so far avoided penalties, but experts caution that this is not necessarily evidence of full compliance.
“The current enforcement efforts by data protection authorities are rather reactive, sometimes they are non-existent at all,” said Felix Mikolasch, a data protection lawyer at NOYB, a European privacy advocacy group.
Over one-third of all GDPR fines issued to social platforms relate specifically to mishandling children’s data.
We see that the European Union is stepping up its enforcement of GDPR rules, particularly as digital platforms increasingly target younger audiences and collect vast amounts of personal information.
Since Surfshark’s last report in October 2023, there has been a 30% jump in the total value of fines, driven by four new cases, two linked to Meta, one to LinkedIn, and another to TikTok.
Meanwhile, here in Nigeria, social media companies including Meta and TikTok operate freely, despite evidence of similar data practices. No major fines have been announced. The Nigeria Data Protection Commission (NDPC) has opted for a softer, compliance-first approach.
“Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise?” said the NDPC’s National Commissioner, Dr. Vincent Olatunji. “It’s only when an organisation is unwilling to comply with the law that we are forced to impose sanctions.”
Dr. Olatunji added that the Commission also considers the economic impact. Penalising foreign tech companies could send the wrong signals to investors.
That rationale might explain why, despite operating under Nigeria’s Data Protection Act, which mirrors many of GDPR’s core principles, no social media platform has yet been held publicly accountable for breaches.
This raises a fundamental question which says can a model based on dialogue and remediation work where enforcement by example has already proven effective elsewhere?
Europe’s approach is that any company that breaks the rules pays the price. Nigeria’s model, however, leans heavily on trust, hoping compliance will come without punishment.
