The Irish Data Protection Commission (Irish DPC) has imposed a record fine of 405 million euros on Meta Group's social network Instagram. The accusation: serious violations of the General Data Protection Regulation, or "GDPR" for short. In addition, a number of remedial measures have been ordered. Meta is taking action against the decision. Its key argument: the decision violates the EU Charter of Fundamental Rights and is therefore invalid. 

Meta subsidiary Facebook has also been fined 265 million euros following regulatory investigations into the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools, triggered by a release of the personal data of up to 533 million Facebook users. The focus is on questions of compliance with the data protection principles "Privacy by Design and by Default".

This means that Meta Group companies have received a total of four fines for data privacy violations totalling €910 million since September 2021. Back in 2021, the Irish DPC had fined WhatsApp 225 million euros. In March 2022, a further 17 million euros fine was imposed upon the parent company. WhatsApp brought an action before the ECJ for a declaratory judgement that the decision of the European Data Protection Board ("EDPB") preceding the fine is invalid.  The ECJ recently rejected this claim as inadmissible (together with the comment: “However, the validity of the EDPB's decision may be challenged before the national court, which may make a request for a preliminary ruling to the Court of Justice”. Parallel legal proceedings initiated by WhatsApp against the Irish DPC's decision are underway in the national court.) 

Subject of the allegations against Instagram

With the fine, the authority sanctions the fact that Instagram had allowed young people between the ages of 13 and 17 to operate so-called "business accounts" on the platform. As a result, telephone numbers and e-mail addresses of minors were temporarily visible to the public. In addition, accounts of young people were set to "public" by default. Unless teens had switched this default setting to "private" in advance, their social media content was freely viewable by Instagram users. According to Meta, this was an outdated setting that has since been revised. The authority nevertheless addresses violations of Art. 5(1)(a), Art. 5(1)(c), Art. 6(1), Art. 12(1), Art. 24, Art. 25(1), Art. 25(2) and Art. 35(1) GDPR in its decision.

Integration of the EDPB in the Instagram process

The present final fine decision brings a complex procedure to an end. This had been initiated by the Irish DPC in September 2020, partly in response to information provided by US data scientist David Stier. In 2021, as the "lead" authority, it had then drawn up a draft decision based on extensive investigations of Instagram's data processing and shared it with other "concerned" national supervisory authorities within the EU (Art. 60 GDPR). Six authorities had raised objections. These authorities objected, among other things, to the assumption of a legal permission for the data processing operations under Art. 6(1) GDPR. No agreement was reached.

The Irish DPC referred the matter to the European Data Protection Board, or "EDPB", for a dispute resolution procedure (Article 65 GDPR). The latter adopted its  binding decision on this matter on 28 July 2022. In this decision, the EDPB comprehensively explains the restrictive conditions for the intervention of the permission criteria "necessity of the data processing for the performance of a contract with the data subject" (Art. 6 (1) (b) GDPR) and "legitimate interest in data processing" (Art. 6 (1) (f) GDPR). Based on this decision, the Irish DPC revised its original comments and based the final decision on a breach of Article 6(1) of the GDPR.

Europe-wide signal: special care required when processing data of minors

Angelika Jelinek, chair of the EDPB, calls the decision "historic" in the  EDPB press release, stating: “Not only because of the size of the fine - it is the second highest fine since the General Data Protection Regulation came into force – but also because it is the first EU-wide decision on children's data protection rights. With this binding decision, the EDPB makes it particularly clear that companies that target children must take particular care. Children deserve special protection regarding their personal information."

Against this background, companies that process the personal data of minors or cannot completely exclude this must ensure that they: 

  1. Obtain full transparency within their area of responsibility regarding the processing of personal data of minors.
  2. Apply the principles of data avoidance and data economy consistently with regard to such data. Refrain from using such data or anonymise it to the extent their business model allows. Otherwise, check options for pseudonymisation.
  3. Check whether they can base the processing of minors' data on the permission criteria "performance of a contract with the data subject" (Article 6 (1) (b) of the GDPR) or "legitimate interest" (Article 6 (1) (f) of the GDPR) against the standards applied by the EDPB in its  binding decision (pages 29 et seq) regarding Instagram.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.