As Meta prepares to complete the removal of end-to-end encryption from Instagram direct messages by May 8, 2026, regulators in jurisdictions around the world face an important question: does this decision require regulatory scrutiny, and if so, what should that scrutiny involve? Digital rights advocates argue that the answer is clearly yes — and that the questions regulators need to ask are specific and demanding.
The first question is about consent and notification. Instagram users who enabled end-to-end encryption did so based on an understanding that their messages were technically protected. The removal of that protection changes the terms of the service they were using. Regulators should ask whether this change required explicit user notification — not a help page update, but active notice — under applicable data protection laws.
The second question is about data use. With encryption removed, Meta now has technical access to private Instagram message content. Regulators should require Meta to disclose clearly and specifically what it will and will not do with that access. Will message content be used for advertising targeting? For AI training? For content moderation? Users and regulators deserve explicit answers, not silence.
The third question is about design accountability. Meta made the encryption feature opt-in rather than opt-out, which suppressed adoption. Meta is now citing low adoption as the reason for removal. Regulators should ask whether this design choice — and the use of the resulting adoption data to justify removal — is consistent with principles of fair dealing and privacy by design that apply in various jurisdictions.
The fourth question is about proportionality. The official justification for the removal includes safety considerations raised by law enforcement. Regulators should ask whether the removal of encryption from an entire platform is a proportionate response to those safety concerns — or whether targeted safety tools, which could address specific harms without compromising the privacy of all users, would be a more appropriate and proportionate approach.
These are not hostile or adversarial questions — they are the questions that appropriate regulatory oversight requires. If Meta cannot or will not answer them clearly and completely, that is itself a signal that greater regulatory scrutiny is warranted.
