After a drawn-out investigation, the Irish DPC (Data Protection Commission) has confirmed that it intends to fine Instagram for several data protection violations.
And the fine, should it stand, is a big one: €405 million. It’s the second largest penalty ever issued under GDPR (General Data Protection Regulation), trailing only the €746 million fine levied against Amazon.
The penalty relates to the way the social media giant, owned by Meta (formerly Facebook), handled children’s personal data.
According to the investigation, which began in 2020, Instagram allowed children aged 13 to 17 to operate business accounts on the platform.
As RTE explained, this “required and/or facilitated the publication of the child user’s phone number and/or email address”.
Meanwhile, Instagram operated a user registration system that set child users’ accounts to public by default, “thereby making public the social media content of child users, unless the account was otherwise set to ‘private’ by changing the account privacy settings”.
In addition to the €405 million fine, the Irish DPC has “imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions”.
Will the fine stand?
As is always the case when a landmark GDPR fine is issued, it must be caveated by stating that the organisation has the right to appeal the decision.
Things are no different on this occasion. Meta commented: “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.
“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision.”
Could more fines be on the way?
When the GDPR took effect in 2018, it promised to revolutionise the data protection landscape. In the four years since then, the Regulation has had a profound effect – not only because of headline-grabbing penalties such as the one levied against Instagram but in smaller, less newsworthy fines.
The fine issued against Instagram is one of 310 confirmed GDPR penalties in 2022, following more than 420 in 2021. Those penalties have totalled more than €1 billion – although as you would expect, the majority of that figure comes from a handful of standout fines.
Indeed, one of the major problems that EU regulators have had with the GDPR is ensuring that penalties are handed out fairly and consistently.
Earlier this summer, the European Commission published new draft guidelines on how to calculate fines for regulatory breaches.
The guidelines attempt to harmonise the way penalties are issued, with a five-step methodology for calculating fines.
Given the scale of the GDPR, it was inevitable that issues would arise and adjustments would need to be made. Moves such as this demonstrate that legislators are honing GDPR enforcement, and organisations must follow suit by ensuring that their practices are compliant.
If you’re looking for support meeting your GDPR requirements, IT Governance is here to help. We offer a variety of consultancy options for organisations looking to bolster their compliance practices.
Whether you’re looking for a little guidance or you’d like a dedicated consultant, we have you covered.
Our team of experts are on hand to help you at any stage of your GDPR journey. You can learn more about our services on our website or by speaking to one of our experts.