Instagram is fined €405m for mishandling children’s user data

A landmark fine

The Irish Data Protection Commission (DPC) has announced it will issue a penalty of €405m (£349m) against Instagram in relation to an alleged failure to protect childrens’ data. Meta has been a particular target of the DPC; in the last year, the DPC has issued three fines against Meta subsidiaries (Facebook, WhatsApp and Instagram) for violations of the General Data Protection Regulation (GDPR) (read our related article here on the balance that Ireland is seeking to adopt between Big Tech and data privacy).

The full decision against Instagram is expected to be published next week. Meta has announced it intends to appeal against the DPC’s decision including in respect of the penalty calculation. It has an appeal ongoing against the WhatsApp decision, but has accepted that against Facebook.

The DPC investigation into Instagram began nearly two years ago in September 2020 following concerns regarding how children’s user data was being processed and protected by Instagram. The allegations are that:

• children (users between 13 and 17 years old) using Instagram were allowed to activate “business accounts”; however, given default privacy settings for business accounts, operating such accounts, resulted in the publication of child user’s personal contact information (e.g.; phone number and/or email address).

• as part of the Instagram user registration process, the platform had a setting through which child user accounts could, by default, be “public”. In such instances, the individual (child) user would have to know to change the account settings to “private”.

Co-ordination between European authorities

The DPC’s decision is illustrative of extent of central EU coordination of GDPR enforcement, which has the potential to increase the level of penalties imposed. It is understood that at least six European regulators (specifically, Finland, France, Germany, Italy, the Netherlands and Norway) raised objections to the DPC’s draft decision (in its capacity as lead supervisory authority regarding Instagram). As certain concerned European supervisory authorities disagreed with the DPC’s draft decision and the national regulators were unable to reach a consensus, the matter was referred to the European Data Protection Board (“EDPB”) for dispute resolution decision (per Article 65 of the GDPR). The EDPB announced on 29 July 2022 that it had reached its binding decision, to be adopted by the DPC. It is not clear, to what extent this process has led to the penalty on Instagram being “bid up” but it has previously been reported that similar objections raised by other EU member states last year in relation to the DPC’s draft decision against WhatsApp led to an initially proposed €30 - €50 million fine being increased to €225 million

Horizon-scanning regarding future enforcement action

The Instagram penalty appears to be the latest in a series of more frequent and significant fines being imposed for breaches of data protection law, ranging from the DPC’s December 2020 fine of Twitter for €405,000 to the Luxembourg National Commission for Data Protection’s July 2021 fine against Amazon for €746 million (read our related UpData article here). Moreover, the DPC continues to actively pursue investigations in respect of potential GDPR violations– including two investigations launched last September against TikTok.

It is apparent that GDPR breaches are being taken increasingly seriously by regulators across the EU. Fines have increased, and - given the size of some of the company’s involved - are increasingly involving very considerable figures (GDPR fines are benchmarked against a percentage of firms’ global revenue). It will be imperative that companies manage operations and compliance procedures in accordance with the GDPR. This is an evolving area of law; as more investigations conclude and decisions are issued, companies (and their legal advisors) should recognise that the enforcement of data protection law is growing “teeth” across the EU. Nonetheless, presently, a degree of legal uncertainty remains to be grappled with as companies (Meta included) attempt to appeal penalties imposed for GDPR breaches.

This trend also emphasises the increasing potential divergence on approach to enforcement being adopted by the UK’s ICO and European regulators.