From the 8th of May 2026, Instagram will no longer use end-to-end encryption (hereinafter: "E2EE") in direct messages (hereinafter: "DMs"). Until now, users could manually enable E2EE for individual conversations. This option will now disappear entirely.
This fits within a broader development. Until 3 April 2026, an EU exemption had allowed platforms to voluntarily scan for illegal content, but this is no longer the case. Nevertheless, major technology companies continue to scan on their own initiative, despite the absence of a specific legal basis. This raises questions about what platforms may do with message content.
For organisations that use Instagram for customer contact, the implications are significant. In this blog, we explain what is changing, what it means legally, and how to adapt your customer channels accordingly.
What is changing at Instagram?
Until recently, E2EE was available as an opt-in feature for individual conversations. E2EE was therefore not a default setting, but a deliberate choice that had to be made for each chat conversation. From the 8th of May 2026, this opt-in will disappear entirely. Meta has not provided a public explanation. Without E2EE, message content remains accessible to Meta, making it technically possible to analyse messages for purposes such as content moderation, advertising, or scanning for illegal content.
Civil society organisations, including the Global Encryption Coalition's Steering Committee, have raised concerns about users losing a crucial privacy layer. They emphasise that E2EE is a vital safeguard for user privacy, and that removing it opens the door to greater surveillance and data processing by platforms.
What is E2EE and why does it matter?
E2EE is generally considered one of the strongest forms of security for digital communication. With E2EE, only the participants in a conversation can access its content. Each device participating in an E2EE chat has a unique set of security codes that together form a 'lock and key' for that specific chat. When you send a message, it is encrypted on your device before being transmitted. Only a device with the correct codes can decrypt and read the message.
However, E2EE does not guarantee complete privacy. With client-side scanning, message content is analysed on the user's device before encryption. Some platforms use this to scan for illegal content, allowing third parties like the platform provider to access messages despite E2EE.
The legal context
Scanning of communication content by a provider breaches the confidentiality requirements of the ePrivacy Directive, unless a legal exception applies. In 2021, the European Union adopted a temporary derogation that enabled communication services such as WhatsApp, Instagram DM and Messenger to voluntarily scan messages and photos for child sexual abuse material. That temporary derogation expired on the 3rd of April 2026. There is no clear successor, because the European Parliament and Member States could not agree on what 'chat control' should look like.
At the same time, several major platforms have announced they will continue with voluntary detection. This creates tension between the strict confidentiality requirements of the ePrivacy Directive on the one hand, and the duty of care obligations under the Digital Services Act (hereinafter: "DSA") to mitigate risks and combat illegal content on the other. Technology companies now operate in a legal grey area: there is no longer a specific mandate for voluntary detection, but neither is there an explicit prohibition. The DSA imposes due diligence obligations that conflict with the confidentiality requirements of the ePrivacy Directive, resulting in a 'conflict of duties'.
Against this backdrop, Meta's decision to withdraw E2EE from Instagram DMs becomes particularly relevant: the legal rules around platform access to messages remain unclear, making this technical change all the more significant.
What does this mean for your organisation?
When your organisation communicates with customers via Instagram, it shares personal data with Meta. Specifically, Meta acts as an independent controller for platform functionality and content scanning, while your organisation remains controller for customer data received via DM.
Your organisation therefore does not enter into a data processing agreement with Meta and has no right to give instructions regarding the shared data. This means your organisation must be transparent with customers about the risks of contact via Instagram DM.
Is Instagram DM still suitable for customer contact?
While social media make customer contact easier, the obligation to handle personal data carefully still applies. E2EE is disappearing, and legal uncertainty around platform scans remains. The key question is therefore no longer whether Instagram DM is technically possible. The question is: is it still appropriate? Given this uncertainty, it is advisable to regard Instagram DM as a channel with limited confidentiality.
Instagram DM remains usable for non-sensitive contact. Consider:
-
Answering general customer questions about products or services
-
Redirecting customers to an appropriate channel (sharing only a name or email address)
-
Responding to brief status requests that involve no sensitive information
Certain data should not be shared via Instagram DM. Avoid:
-
Asking customers for sensitive personal data (health, religion, etc.)
-
Requesting identification numbers, payment details, or login credentials
-
Asking customers to send copies of identity documents
-
Exchanging documents containing personal data (such as contracts or invoices)
The role of DM is shifting. It is no longer the channel for handling enquiries in full, but for sharing only the right information, briefly and without sensitive details.
Practical tips
Does your organisation wish to continue using Instagram DM for customer contact in a privacy-conscious manner? The tips below will help mitigate risks.
-
Prepare a standard message for your organisation to refer customers, where necessary, to a more suitable channel. For example: "To protect your privacy, we do not handle personal data via DM. Please use our secure form/portal.
-
Ensure your organisation's privacy notice explains what Instagram contact entails. For example: "We use Instagram DM exclusively for service/community purposes." Include the legal basis, an overview of recipients, and mention of transfers to the US (Meta is an American company).
-
Instruct your organisation's staff to be restrained in requesting customer data via DM and train them to recognise moments for referral.
Conclusion
The discontinuation of E2EE in Instagram DMs is more than a technical change. It is a clear signal to take a critical look at your customer channels and the contact that takes place there.
Considering these developments, we advise treating Instagram DM as a channel with limited confidentiality. Keep customer contact via DM brief and non-sensitive, and refer customers to a secure channel when personal data is involved. Document these choices in your policy, processes, and privacy notice. This way, Instagram can continue to be used where it excels: reach, community, and quick, general service.
The legal situation remains uncertain. The expiry of the derogation does not create an explicit prohibition, but rather a grey area. Technology companies now operate within a conflict of duties: the DSA calls for action against illegal content, whilst the ePrivacy Directive protects confidentiality. We are closely monitoring these developments.
If these developments have you reconsidering your customer contact, we'd be glad to help you take the next step.
