It made headlines around the world.

News of a record fine for Instagram spread faster than a viral video on the photo-sharing app.

On Monday, the Irish Data Protection Commission (DPC) confirmed it had imposed a fine of €405m on Instagram for violations of the General Data Protection Regulation (GDPR).

It followed an investigation into breaches relating to children's data which was started in September 2020.

It was the largest fine ever imposed by the DPC.

The investigation was focused on how child users between the ages of 13 and 17 were able to operate "business accounts" on the platform which led to the publication of children's email addresses and phone numbers.

The DPC also looked at a user registration system for the Instagram service whereby the accounts of child users were set to "public" by default, thereby making public the social media content of children, unless the account was otherwise set to "private" by changing the account privacy settings.

Instagram is owned by Facebook parent company Meta.

In a statement, Meta described the settings at issue as "old" and said they had been updated over a year ago.

That was after the DPC had commenced its investigation and alerted the company to the problem.

Meta said it had since released new features to "help keep teens safe" and to help keep their information private.

The company said that it disagreed with how the fine was calculated and it intended to appeal the ruling.

The details of the Instagram decision will be published in the coming days.

The Commission has been accused of being too soft on the big tech firms it regulates and of taking too long to complete its investigations.

Last year the Data Protection Commission fined WhatsApp, which is also owned by Meta, €225m for infringements of data protection rules.

In March, the DPC imposed a fine of €17m on Meta following an inquiry into a series of 12 data breach notifications.

Despite such high-profile decisions, critics of the DPC say the authority still needs reform.

The Commission has been accused of being too soft on the big tech firms it regulates and of taking too long to complete its investigations.

Dr Johnny Ryan is a senior fellow at the Irish Council for Civil Liberties.

"There are Europe-wide concerns about how Ireland is upholding its responsibilities when it comes to data protection regulations," he said.

In February, the EU Ombudsman Emily O'Reilly opened an inquiry into how the European Commission has been monitoring the application of data protection rules in Ireland.

It followed a complaint to her office from Dr Ryan.

"We have seen criticism of the DPC from its European counterparts and from the European Parliament," Dr Ryan said.

"Investigations take a very long time to reach a conclusion and when they do, we have seen the DPC's counterparts objecting to their decisions."

"In the case of WhatsApp, they had to demand that the DPC increase the fine," he said.

"What we have found, is that Europe's enforcers tend to take views that are contrary to the DPC's views," he added.

The General Data Protection Regulation, or GDPR, is an EU regulation that came into effect in May 2018 which imposes strict requirements on the collection, use and storage of personal data.

The €405m Instagram fine grabbed headlines this week because of its record size and it was portrayed by many as a big win for the Irish Data Protection Commission.

Because so many of the big tech firms and social media giants have their headquarters in Ireland, it has fallen on the Irish Data Protection Commission to investigate alleged GDPR breaches at the likes of Meta, Google, Twitter and TikTok.

Put simply, the Irish DPC is far busier than many of its European counterparts.

So rather than "getting it wrong" and needing to be corrected and overruled by other EU regulators, there are those who believe the Irish Data Protection Commission is in a very different position to its fellow watchdogs.

Daragh O'Brien is the founder and Managing Director of Castlebridge, a data protection consultancy.

"The DPC has been the canary in the coalmine for many of the procedural issues when it comes to shared and collective decision-making among EU data protection authorities because it has been the one taking the cases and having its decisions reviewed and challenged," Mr O'Brien said.

He is also pointing out that long investigations are not unique to the Irish data watchdog.

"I have a data complaint against a multinational that is being run through the Netherlands and it has been there for two years, I have another complaint that is being run through Belgium and it seems to have disappeared into a black hole," Mr O'Brien said.

He added that it is important to remember that GDPR is still a relatively new law.

"There was a perception with GDPR that when it came into effect, the very next day, the DPC would start levying huge fines and start holding people to account but that ignored the reality that the DPC had to ramp up its organisation and that details of the legislation needed to be ironed out.

"If you look at other changes to EU law, it took competition law nearly eight years to land its first large fines and enforcements, so we're doing reasonably well when it comes to GDPR."

He added: "The bus timetable has been established, we can see a pipeline of decisions but there are procedural things that need to be gone through to make sure that any enforcement action that is challenged stands up to appeal."

When you are dealing with multi-billion-dollar tech giants, the size of the fine matters less than the remedies and reforms that the companies are forced to undertake.

Graham Doyle is a Deputy Commissioner at the DPC.

"For the last 12 to 18 months, I have been saying there is a strong pipeline of decisions coming and that they would be announced in the second half of this year, that is exactly what has been happening," he said.

"We have finalised seven inquiries into big tech and there are another half a dozen cases where we have brought decisions to our fellow data protection authorities, these will finalise in the coming months."

In July, the Government announced plans to appoint two additional commissioners at the office of the Data Protection Commission.

Making the announcement, the Department of Justice said the DPC had evolved significantly since its inception and that its increased working burden and investigative complexity have been regularly highlighted by the Commission itself and its stakeholders.

"The Data Protection Commission has performed its role of independent data protection regulation in the State very effectively to date," said Minister for Justice Helen McEntee.

"In recent years, the Commission is dealing with an increased workload with increasingly complex investigative requirements."

The minister said she was also asking that the DPC undertakes a review of its governance structures, staffing arrangements and processes.

The €405m Instagram fine grabbed headlines this week because of its record size and it was portrayed by many as a big win for the Irish Data Protection Commission.

But when you are dealing with multi-billion-dollar tech giants, the size of the fine matters less than the remedies and reforms that the companies are forced to undertake.

As the DPC ramps up its enforcement efforts, the authority's success should not be judged on how much money it collects but rather how its rulings increase online safety and improve protections for millions of internet users across Europe.