The DPC conducted an inquiry against Instagram concerning the processing of personal data relating to child users of Instagram.
The inquiry concerned two types of processing carried out by Instagram as follows:
- Instagram allowed child users between the ages of 13 and 17 to operate 'business accounts' on the Instagram platform. At certain times, the operation of such accounts required and/or facilitated the publication (to the world-at-large) of the child user's phone number and/or email address.
- At certain times, Instagram operated a user registration system for the Instagram service whereby the accounts of child users were set to "public" by default, thereby making public the social media content of child users, unless the account was otherwise set to "private" by changing the account privacy settings.
As a result of inquiry, the DPC has fined Instagram Euro 405 Million on infringement of various articles of GDPR. The table below summarizes the said infringements and respective fines imposed by the DPC.
|
Infringement |
DPC Finding |
Amount in Millions (Euro) |
|
Article 12(1) regarding the public-by default processing. |
Instagram did not provide child users of Instagram with information on the purposes of the public-by-default processing. |
100 |
|
Article 12(1) regarding the contact information processing |
Instagram did not take measures to provide child users with information on the purposes of processing and/or information on the categories of recipients of personal data (as required under Articles 13(1)(c) and (e) of GDPR) using clear and plain language. |
70 |
|
Article 5(1)(a) regarding the contact information processing |
Processing by Instagram of contact information of child users who switched to a business account prior to 4 September 2019 was not fair or transparent, contrary to Article 5(1)(a) of GDPR. |
25 |
|
Article 35(1) regarding the contact information processing |
Instagram has not conducted an assessment of the impact of processing operations on the protection of personal data and has not complied with its obligations under Article 35(1) of GDPR. |
45 |
|
Article 35(1) regarding the public-by default processing |
Same as above |
45 |
|
Articles 5(1)(c) and 25(2) regarding the contact information processing |
Instagram did not comply with the principle of data minimization as set out in Article 5(1)(c) of GDPR.
Processing by Instagram was contrary to the principle of data protection by default under Article 25(2) of GDPR. |
25 |
|
Articles 25(1) regarding the contact information processing |
Instagram did not implement appropriate technical and organizational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards. |
25 |
|
Articles 5(1)(c) and 25(2) regarding the public-by-default processing |
Processing by Instagram was contrary to the principle of data minimization principle under Article 5(1)(c) of GDPR and contrary to data protection by default under Article 25(2) of GDPR. |
25 |
|
Article 25(1) regarding the public-by default processing |
Instagram did not implement appropriate technical and organizational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards. |
25 |
|
Article 6(1) regarding the contact information processing |
Contact information processing by Instagram infringed Article 6(1) of GDPR. |
20 |
|
Total |
405 |
|
The DPC, further, has ordered Instagram to bring its processing in compliance with GDPR and has reprimand regarding violation of GDPR
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
