Meta’s decision to remove end-to-end encryption from Instagram direct messages by May 8, 2026, makes a compelling case for mandatory privacy standards — legal requirements that prevent companies from reversing privacy commitments without regulatory accountability. The case rests on three observations that the Instagram decision has made particularly clear.
Observation one: voluntary corporate privacy commitments are not durable. Meta’s 2019 commitment to cross-platform encryption was public, specific, and genuine at the moment it was made. It was progressively diluted and then reversed over the following seven years. The erosion followed commercial and institutional logic rather than any change in user needs or values. If a prominent public commitment can be reversed this quietly and this completely, the durability of voluntary privacy commitments is clearly insufficient.
Observation two: the commercial incentives driving privacy rollbacks are structural and persistent. Meta’s advertising business creates ongoing incentives to expand data access. AI development creates additional incentives for comprehensive data collection. These incentives do not diminish over time — they intensify as competition in advertising and AI increases. Voluntary commitments made by individuals within companies are perpetually vulnerable to being overridden by structural commercial pressures.
Observation three: the current regulatory environment is inadequate. Meta was able to announce the removal of a significant privacy feature through a help page update, without regulatory notification or user consultation, and has faced no meaningful regulatory consequence. This demonstrates that existing frameworks — even relatively strong ones like GDPR — are not sufficient to prevent this kind of quiet privacy rollback.
The case for mandatory privacy standards — legally enforceable requirements that establish minimum privacy protections that cannot be voluntarily removed — follows directly from these three observations. Standards that require privacy by default, that mandate meaningful user notification for material changes, and that establish regulatory accountability for the reversal of stated privacy commitments would address the specific failures that the Instagram case has revealed.