On 15 September 2022, the Irish Data Protection Commission (DPC) issued a final decision and imposed a €405 million fine on Instagram– a social media platform owned by Meta, for violations of the General Data Protection Regulation (GDPR) regarding the processing of children’s data.


Investigation


On 21 September 2020, the DPC initiated an investigation related to child users of Instagram in response to information provided by US data scientist David Stier and in connection with other issues identified by the DPC after examination of the Instagram user registration process.

The investigation examined the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.


Decision


Following the investigation, the DPC submitted a draft decision to all relevant data protection authorities in the EU. Six of these national regulators raised objections to the DPC’s draft decision.

The DPC was unable to reach a consensus and therefore, referred the case to the European Data Protection Board (EDPB), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB adopted its binding decision, which rejected a considerable number of objections but upheld objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fines including the additional infringement of the GDPR.

Having incorporated these amendments, the DPC’s decision was adopted, which included infringements of:

Article 5(1)(a), 5(1)(c) – Principles relating to processing of personal data

Article 6(1) -Lawfulness of processing

Article 12(1) – Transparent information, communication and modalities for the exercise of the rights of the data subject

Article 24– Responsibility of the controller

Article 25(1), 25(2) – Data protection by design and by default

Article 35(1) – Data protection impact assessment


Fine


The DPC’s original draft decision had recommended a fine of up to €405 million and, having taken account of the EDPB’s binding decision, the fine imposed on Meta Platforms totals €405 million, including a fine of €20 million for the infringement of Article 6(1).

In addition to these administrative fines, the DPC has also reprimanded and ordered Meta Platforms to take necessary measurements to bring its processing into compliance.


Meta’s response


Meta commented that the violation is regarding their old settings updated a year ago regarding the privacy of Instagram users under 18 (you have to be at least 13 to have an Instagram account).

According to Meta, new Instagram settings are focused on keeping children safe and their information private making their accounts automatically private when they join Instagram, and adults can’t message teens who don’t follow them.

This is the third penalty for Meta and the second largest GDPR fine to this day, surpassed only by the €746 million fine issued to Amazon in 2021.

Read the entire DPC’s press release.