When Meta announced that Instagram would remove end-to-end encryption from direct messages by May 8, 2026, the response focused primarily on privacy advocacy, law enforcement implications, and commercial incentives. But there are legal questions raised by this decision that have received relatively little attention — questions about consent, data use, and the regulatory frameworks that govern how platforms handle private communications
The consent question is fundamental. Instagram users who enabled end-to-end encryption did so on the basis of an understanding that their messages were protected. The removal of that protection changes the terms of the service they were using — arguably without their explicit consent. Whether this constitutes a meaningful breach of user trust or legal obligation depends on the specific terms of service and privacy policies users agreed to, as well as the regulatory requirements applicable in their jurisdictions.
The data use question is equally important. With encryption removed, Meta gains technical access to private message content. What the company can legally do with that access varies by jurisdiction. In the European Union, the General Data Protection Regulation sets limits on how personal data can be used without explicit consent. In other jurisdictions, the regulatory environment is less restrictive. Whether Meta’s new access to DM content is constrained by existing law is a question that regulators in multiple countries should be examining.
The notification question is also significant. Meta announced the change through low-key documentation updates rather than explicit notification to affected users. In jurisdictions where data protection laws require companies to inform users of material changes to how their data is handled, this approach may be insufficient. Regulatory bodies that enforce data protection law should assess whether Meta’s announcement met applicable notification requirements.
Digital rights organizations are calling for exactly this kind of regulatory scrutiny. The legal questions raised by Instagram’s encryption removal are not abstract — they concern the rights of hundreds of millions of users in jurisdictions with varying levels of legal protection. Understanding whether existing law adequately addresses this situation, and where it falls short, is an essential step in determining what regulatory response is warranted.