Meta Platforms Inc., the parent company of Facebook, Instagram, and WhatsApp, has been ranked as the most heavily penalised social media company under the European Union’s General Data Protection Regulation (GDPR), according to a newly released report by cybersecurity firm Surfshark.
The report, which analysed enforcement actions against the ten most popular social media platforms by monthly active users, revealed that Meta accounted for €2.7 billion out of the €3.9 billion in total GDPR-related fines issued across the sector.
The penalties stem from various violations, most notably the misuse of personal data, including the improper handling of children’s data.
Instagram, one of Meta’s key platforms, was fined €405 million in 2022 after it was discovered that business accounts created by minors were automatically set to public by default, exposing sensitive personal information without appropriate consent.
This misconfiguration resulted in large-scale data exposure among underage users.
Facebook followed with a €251 million fine in 2024 due to a significant data breach that compromised user information, including that of minors.
The incident highlighted persistent vulnerabilities in Meta’s data protection practices despite repeated warnings and previous enforcement actions.
TikTok, operated by China’s ByteDance Ltd., has also come under intensified scrutiny, particularly regarding its handling of children’s data.
The platform has been fined €890 million across three separate enforcement actions, including the most recent in 2025.
Regulators cited failures to provide adequate privacy controls and for misleading account settings that defaulted to public visibility for minors.
Other social media platforms have also been subject to GDPR fines. LinkedIn received a €310 million penalty, while X (formerly Twitter) was fined €450,000. These enforcement actions were largely based on violations involving inadequate data protection frameworks and insufficient safeguards against unauthorised access.
Notably, five major platforms — YouTube, Snapchat, Pinterest, Reddit, and Threads — have not recorded any GDPR-related fines to date, indicating a comparatively stronger compliance posture or lesser regulatory focus at this time.
The report underscores the European Union’s increasing vigilance in enforcing the GDPR, which came into effect in 2018. Enforcement activity has intensified as social platforms expand their user base and data collection practices across multiple jurisdictions, particularly within vulnerable demographics.
Analysts note that the trend signals growing regulatory pressure on digital platforms to reassess their data governance strategies. With GDPR fines reaching record levels and enforcement mechanisms becoming more aggressive, platforms failing to adapt may face significant financial and reputational risks.
For investors, the continued regulatory burden on data-driven platforms like Meta and TikTok presents both compliance risks and potential headwinds for monetisation strategies that rely heavily on personal data profiling.
As the European Commission and national data protection authorities ramp up enforcement, market participants are expected to track regulatory developments closely, particularly in cases involving high-valuation tech companies operating across global markets.