Instagram kept copies of deleted pictures and private direct messages on its servers even after someone removed them from their account. The Facebook-owned service acknowledged the slipup and awarded a security researcher $6,000 for finding the bug. Instagram fixed the bug earlier this month and said there has been no evidence of abuse of the vulnerability. The flaw was in a feature that Instagram launched in 2018 in response to the European General Data Privacy Regulation, which requires companies operating in Europe to notify authorities within 72 hours of confirming a data breach.
Source: https://threatpost.com/instagram-retained-deleted-user-data-despite-gdpr-rules/158366/