Meta’s removal of end-to-end encryption from Instagram direct messages, effective May 8, 2026, raises a series of questions that regulators should be asking. The change was disclosed through a quiet help page update. The episode reveals regulatory gaps that need to be addressed if users are to be protected from future privacy rollbacks.
Encryption on Instagram was introduced in 2023 as an opt-in feature following Zuckerberg’s 2019 commitment. Its removal was not subject to regulatory review or approval. Regulators in key jurisdictions are now examining whether this was appropriate.
After May 8, Meta will have access to all Instagram DMs. Regulators should be asking how this data will be stored, who will have access to it, and under what circumstances it can be shared with third parties including governments. These questions have not been answered.
Law enforcement agencies including the FBI, Interpol, and national bodies in Australia and the UK had pushed for this change. Child safety advocates backed their position. Australia reportedly saw the feature deactivated before the global deadline.
Digital Rights Watch is urging regulators to ask hard questions about the decision-making process. Tom Sulston argued that platforms should not be able to remove privacy features without demonstrating that the change is justified, proportionate, and compliant with applicable privacy laws. He and others are calling for regulatory frameworks that close the gaps this episode has exposed.