The Data Protection Commission (DPC) in Ireland has sought to impose a €405m fine upon Meta Platforms Ireland Limited (Instagram) and a range of corrective measures following breaches of the GDPR. The DPC have released further details regarding its conclusion of their two year inquiry following concerns over how children’s data was being processed and protected by Instagram.
It looked at how Instagram processed the personal data of child users in particular, the public disclosure of phone numbers and/or email addresses of the children signing up to use a business account, and the public-by-default setting when children created a personal account.
Use of business accounts
Teenagers between the ages of 13 and 17 were able to create and operate a “business account”. When creating this type of account, the user's email address and phone number would be published. For adults this is not a problem but for children, who are less aware of the risks and consequences of such publication, there are specific protections that should apply following Recital 38 of the GDPR.
When either an adult, child or teenager creates an account on Instagram, the default is to set the account to public. This setting can be changed but it requires the user to change it themselves in their privacy settings. It has however been confirmed by Meta that users who are under 18 will automatically have their account set to private when an account is created.
Conclusion of inquiry
Instagram was found to have breached Article’s 5(1)(a) and 5(1)(c) (related to fair processing); 6(1) (lawful processing); 12(1) (transparency); 24 (responsibility of controller); 25(2) (data protection by design and default); and 35(1) (data protection impact assessment) of the GDPR. Meta has announced that it intends to appeal the decision which includes how the fine was calculated.
The increase in data protection investigations
The DPC is imposing increasingly significant, and more frequent, fines for breaches of data protection law, examples are Twitter’s fine of €405,000 in December 2020, Amazon’s €746m fine in July 2021 and most recently a €405m fine upon Meta Platforms Ireland Limited (Instagram). Furthermore, two investigations were launched against TikTok last September for potential GDPR violations. This suggests that data protection breaches are being handled on a more robust level by regulators across the EU.