Meta, the parent company of Facebook and Instagram, faces severe disciplinary action after Ireland’s DPC (Data Protection Commissioner) ruled that the organisation improperly processed children’s personal data.
The proposed fine relates to an ongoing dispute regarding Meta’s data processing activities. The tech giant has for years faced allegations of privacy breaches, and is currently appealing a €225 million fine that was issued for violations related to WhatsApp’s data processing practices.
Now the DPC has turned its attention to Instagram, with Commissioner Helen Dixon ruling that the social media platform’s data processing practices violate the GDPR (General Data Protection Regulation).
Dixon’s 2021 annual report said the case concerns the way Instagram handles “the operation by children of ‘business accounts’ and also certain default settings which were applied to children’s accounts”.
Why has the fine not yet been levied?
Records show that Meta has known for some time that a fine has been coming. In October 2021, the organisation agreed to sign off €724 million to cover administrative fines related to GDPR violations. This is on top of another €302 million that it had previously set aside.
However, proceedings have been delayed for several reasons. First, Meta has appealed the penalty – although that is the case in almost every high-profile GDPR investigation.
More worryingly, several European data protection bodies have refused to back the DPC’s proposed fine. Finland, France, Germany, Italy, the Netherlands and Norway have all distanced themselves from the investigation, but they haven’t publicly stated why.
This isn’t in itself a stumbling block. Supervisory authorities aren’t required to gain unilateral support when issuing a fine. Meta’s headquarters are in Ireland, making the DPC its lead supervisory authority and giving it the power to launch an investigation and issue a fine.
But because Meta’s data processing practices span across the EU, the support from other bodies would help the DPC’s position in the event of an appeal.
Efforts to settle the dispute are currently underway at the EDPB (European Data Protection Board), the body that’s responsible for GDPR compliance across the EU.
Speaking to the Irish Times, the EDPB confirmed that it had “received a formal submission with regard to Instagram, which is the first step in the triggering of the dispute resolution mechanism”.
It added that it is “currently assessing the completeness of the file”.
Privacy by design
Whenever large firms such as Meta face GDPR investigations, it demonstrates the importance of data protection by design and default.
It is a foundational principle of the Regulation and states that organisations must implement compliance practices into the heart of the operations rather than attempting to bolt them on to existing processes.
This ensures that data protection and data privacy are prioritised, and helps create efficient and effective compliance practices.
The failure to meet this principle is the root cause for a significant proportion of GDPR fines. It’s an issue that larger organisations, and especially those in the tech industry, struggle with particularly – because it’s even harder to overhaul huge data processing activities that are at the heart of their operations.
However, it can affect organisations of all sizes. If compliance isn’t built into your data processing practices, it’s a sign that you have major problems that could manifest in other ways.
We help you avoid these problems in our free guide: Privacy by Design – Step by Step. This green paper provides more detail on privacy by design and its seven foundational principles.
It also contains our eight-step approach to achieving privacy by design.
By reading this guide, you’ll understand the risk-appropriate technical and organisational measures you must implement to ensure that data privacy and protection become part of business as usual.