Last week, the Irish Data Protection Commission fined Instagram owner Meta 405 million euros for breaching the privacy rights of children under the EU General Data Protection Regulation (“GDPR”). The investigation which had started back in 2020, focused on how the platform allowed users aged between 13 to 17 years to operate accounts which showed their phone numbers and email addresses. The Commission mainly looked at the fact that the platform had employed a user registration system whereby the accounts were set to “public” by default upon switching to a business account.

This is the second largest fine imposed on a company for GDPR violations. It is also the highest fine imposed on Meta (also owner of Facebook and WhatsApp) by the Irish watchdog, after imposing a 225 million euro fine on WhatsApp for breaching data protection rules. Since the decision, it has been reported that Instagram has updated its settings and has included new features which protect teenage users and keeps their information private.

This ruling clearly shows how effective enforcement under the Regulation can safeguard privacy rights particularly those of children. It will hopefully act as an eye opener for many businesses around the world to update their systems in accordance with GDPR rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.