Meta-owned Instagram has been fined €405 million by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation (GDPR), following a two year investigation into how the social media platform handles children’s data. This is the largest fine imposed by the DPC to date. Below, we highlight some of the key issues arising in the case.

What was the breach?

The investigation into Instagram was centred on two issues:

  1. Teenage users aged 13-17 were allowed to operate ‘business accounts’ on Instagram, which resulted in the publication of the users’ phone numbers and email addresses. If these users had been adults, this likely would not have been an issue. Nonetheless, this serves as a reminder to use additional caution when dealing with children’s data. Recital 38 of the GDPR highlights that where children’s data is used to create user profiles, specific protections should apply since children may be less aware of the risks, consequences and safeguards and their rights in relation to the processing of their data.
  2. All accounts, including the accounts of teenage users, were set to public by default, unless the user affirmatively changed the privacy settings. Meta has commented that these settings have since been updated and users under 18 now automatically have their account set to private when they join Instagram. The GDPR requires privacy by design and default, meaning that data protection should be integrated into a business’s processing activities. Additionally the DPC’s guidance “Children Front and Centre: Fundamentals for a Child-Orientated Approach to Data Processing” highlights the importance of ensuring the strictest privacy settings apply by default

Full details of the reasons behind the decision are expected to publish next week. Meta is said to disagree with the way the fine has been calculated and plans to appeal the decision.