Co-authored by Christian Razza
The Irish Data Protection Commission (DPC) has fined Meta-owned social media platform Instagram €405 million for breaches of the European Union's (EU) General Data Protection Regulation (GDPR).1
The sanction was imposed following a two-year investigation by the DPC, which found that Instagram had allowed users between the ages of 13 and 17 to operate business accounts on the platform that displayed users' phone numbers and email addresses. This led the authority to conclude that Meta had been processing the personal data of children and adolescents illegally without a legal basis under the GDPR.
The DPC also found that the platform had operated a user registration system whereby the accounts of users aged 13 to 17 were set to "public" by default, thereby also making their social network content public. The fine, which is the second highest under the GDPR, following only a €746 million sanction against Amazon, is the third imposed by the Irish authority on a Meta-owned company.2 In addition to the fine, the DPC decided to admonish Meta and require it to adopt a series of specific corrective measures to comply with the proper data processing.
In December 2021, the DPC presented a draft decision to all EU counterpart regulators, also known as Competent Supervisory Authorities, as provided under Article 60 of the GDPR. Six of these national regulators raised objections to the DPC's draft decision. The DPC was unable to reach a consensus with the regulators on the issue of objections and therefore referred the case to the European Data Protection Committee (EDPC), pursuant to article 65 of the GDPR.
On July 28, 2022, the EDPC issued its binding decision,3 under which it required the DPC to modify its draft decision to the effect that it included having found an infraction of article 6(1) of the GDPR and to reassess the proposed administrative fines arising from said additional infraction.4 After including these considerations in the text, the DPC rendered its final decision on September 2, 2022,5 and on September 15, 2022, confirmed the conclusions from the investigation into Instagram and the fine of 405 million euros.6 The DPC has at least six other ongoing investigations involving companies owned by Meta.7
Irish state-owned station RTE quoted a Meta spokesman as saying that they will appeal the fine, because this investigation was based on old configurations that they apparently updated over a year ago. Since then, they have implemented a number of new features to help keep teens safe and their information private. Such updates include a setting in which accounts belonging to users under 18 years of age are automatically configured as "private" when they register on Instagram.8
This is a major sanction, since it is the first fine imposed in relation to the personal data of children and adolescents, and a sign that financial sanctions for non-compliance with the GDPR are being imposed with ever-increasing values. This could be a sneak preview of the investigations and fines that the future Personal Data Protection Authority of Ecuador could well initiate and impose when the sanctioning regime set out in the Organic Law on Personal Data Protection (LOPDP) goes into force on May 26, 2023.
Personal data is any information that allows a person to be identified and requires special care when it comes to children's personal data in a digital environment like social networks. The LOPDP will have a greater impact on individuals and legal entitiesthat process the personal data of children and adolescents, since their data is categorized in said regulations as special data, which implies additional obligations for the person in charge and the person responsible for processing such data. Such additional responsibilities include impact assessments and granting additional rights to data owners.9 In this sense, the personal data of children and adolescents will receive reinforced and specific protection, especial when such data is used for marketing, profiling, and the collection of these through services offered directly to minors, as happens on social media.
Since 20202, Ecuador has had a public policy aimed at guaranteeing internet safety for children and adolescents,10 focused on protecting the dignity and physical, psychological, emotional, and sexual integrity of children and adolescents and enhancing the opportunities and skills offered by digital technologies in their lives and comprehensive development. Now, under the LOPDP, companies must be vigilant to ensure they comply with this rule, otherwise they will be penalized with the respective sanctions.
Although the DPC sanction applies in the EU, Meta will need to rectify this problem and adopt the corrective measures not only in that jurisdiction, but also change the default configuration of the commercial accounts of children and adolescents in Latin America, since currently, Instagram business accounts are set to "public" by default. Otherwise, the Latin American data protection authorities will have some work to do.
1. BBC. (September 5, 2022). Instagram fined €405m over children's data privacy. https://www.bbc.com/news/technology-62800884
3. The EDPC published its decision on September 15, 2022.
4. EDPC. (September 15, 2022). Binding Decision 2/2022. https://edpb.europa.eu/system/files/2022-09/edpb_bindingdecision_20222_ie_sa_instagramchildusers_en.pdf
CPD: (September 2, 2022). Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Article 60 of the General Data Protection Regulation, DPC Inquiry IN-20-7-4. https://edpb.europa.eu/system/files/2022-09/in-20-7-4_final_decision_-_redacted.pdf
6. Irish Data Protection Commission. (September 15, 2022). Data Protection Commission announces decision in Instagram Inquiry. https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-instagram-inquiry
7. Independent. (September 5, 2022). Instagram fined €405m by Irish regulator for breaching children's privacy rights. https://www.independent.ie/business/technology/instagram-fined-405m-by-irish-regulator-for-breaching-childrens-privacy-rights-41962706.html
8. Le Monde. (September 5, 2022). Irish data watchdog fines Instagram €405 million over children's privacy. https://www.lemonde.fr/en/pixels/article/2022/09/05/irish-data-watchdog-fines-instagram-405-million-euros-over-children-s-privacy_5995936_13.html
9. Under article 21 of the LOPDP, in addition to the right of children and adolescents not to be the subject of a decision based solely or partially on automated assessments, sensitive data or data of children and adolescents cannot be processed except with the express authorization of the data owner or their legal guardian.
10. National Council for Intergenerational Equality. (2020). Public policy for a safe internet for children and adolescents. https://www.igualdad.gob.ec/wp-content/uploads/downloads/2020/09/política_publica_internet_segura.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.