Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has emerged as the most heavily fined social media company under the European Union’s General Data Protection Regulation (GDPR), according to a new report by cybersecurity firm Surfshark.
The report analysed GDPR enforcement actions against the world’s top 10 social media platforms by monthly active users, revealing that five major platforms, Meta, TikTok, LinkedIn, X (formerly Twitter), and Instagram, have collectively paid €3.9 billion in fines for data protection violations.
Meta Leads with €2.7 Billion in GDPR Fines
Meta’s suite of platforms has incurred €2.7 billion in fines, making it the single most penalised tech company under the GDPR framework. Most of these violations are tied to the misuse of personal data, including children’s data, a growing concern for European regulators.
Notable Meta GDPR violations:
- Instagram was fined €405 million in 2022 for defaulting business accounts created by children to “public” status, compromising minors’ privacy.
- Facebook received a €251 million penalty in 2024 due to a data breach that affected underage users.
TikTok Fined €890 Million for Mishandling Children’s Data
TikTok, another major player under scrutiny, has received three GDPR fines totalling €890 million. Violations included:
- Failing to provide an understandable privacy policy in Dutch.
- Setting underage accounts to public by default.
- Allowing adults to falsely register as guardians without verification.
The most recent fine was issued in 2025, reflecting intensified EU oversight over child data protection.
LinkedIn and X Also Penalized
Other social media platforms have also faced enforcement actions.
- LinkedIn was fined €310 million for GDPR violations.
- X (formerly Twitter) received a €450,000 fine.
Meanwhile, YouTube, Snapchat, Pinterest, Reddit, and Threads have not yet been fined, but experts caution this does not necessarily indicate full compliance.
GDPR Enforcement Still Inconsistent Across EU
According to Felix Mikolasch, a data protection lawyer at privacy advocacy group NOYB, GDPR enforcement remains reactive and uneven across Europe.
“The current enforcement efforts by data protection authorities are rather reactive; sometimes they are non-existent at all,” Mikolasch told Surfshark.
The report also reveals that one-third of all GDPR fines issued to social media platforms are related to mishandling children’s data, underscoring a growing regulatory focus on protecting minors online.
Compared to Surfshark’s last report in October 2023, the total fine amount has risen nearly 30%, fuelled by four new fines issued to Meta, TikTok, and LinkedIn.
GDPR vs Nigeria’s Data Protection Approach
While the GDPR crackdown continues in Europe, Nigeria’s regulatory response to data privacy violations has been more remedial than punitive.
Dr. Vincent Olatunji, National Commissioner of the Nigeria Data Protection Commission (NDPC), stated that the commission prefers to encourage compliance rather than impose financial penalties. “Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise?” he said. Olatunji emphasised that the NDPC takes Nigeria’s economic realities into account and avoids actions that could discourage foreign investment.
With Meta, TikTok, and other tech giants facing mounting GDPR fines for data breaches and misuse of children’s data, the pressure is on social media companies to overhaul their data protection policies. As Europe tightens enforcement, countries like Nigeria are taking a softer approach, prioritising education and compliance over penalties.
