Instagram GDPR fine confirms children’s data protection focus

Meta, the company behind Instagram, has said it disagrees with the way the fine was calculated and intends to appeal it.

The fine is the biggest that has been issued under the EU General Data Protection Regulation (GDPR). Amazon last year notified US regulators that Luxembourg’s data protection authority had outlined its intention to issue it with a fine of €746m under the GDPR, but a final decision has not yet been made public in that case.

The Instagram fine was issued by the Data Protection Commission (DPC), following input from data protection authorities in other EU member states and a decision of the European Data Protection Board (EDPB) (65-page / 1.8MB PDF). The DPC said its inquiry had “examined, in particular, the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children”.

The DPC said Instagram had infringed GDPR principles concerning the lawful, fair and transparent processing of personal data, and ‘data minimisation’ – where organisations are required to ensure that their processing of personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The sanctions imposed also reflect other findings of GDPR infringement, including specific rules governing the lawfulness of personal data processing and the provision of transparent information to data subjects.

Instagram was also deemed to be in breach of GDPR provisions that required it implement appropriate technical and organisational measures to ensure and to be able to demonstrate that its processing was performed in accordance with the legislation, as well as other provisions aimed at ensuring data protection is built into the way products and services are designed, and in relation to data protection impact assessment obligations.

Dublin-based technology law expert Andreas Carney of Pinsent Masons said: “The EDPB decision includes a breakdown of the range of fines that the DPC had proposed for each of the breaches in its draft decision, which was referred to the EDPB, which in aggregate was between €202 million and €405 million. Broadly speaking, the breakdown of the top end of this range was €259 million for infringements relating to lawful, fair and transparent processing, €90 million for infringements relating to data protection impact assessments, and €56 million regarding infringements relating to data protection by design and by default.”

“While these allocations may have changed in the DPC’s final decision – the DPC was required by the EDPB to amend its decision to include a finding of infringement of Article 6(1) of the GDPR relating to the lawful basis of processing, which the DPC states is subject to a fine of €20 million – they emphasise the importance of the interrelationship between these areas within the framework of GDPR compliance and the need to consider GDPR requirements holistically in relation to compliance of products and services,” he said.

Earlier this week, the DPC also confirmed that it had submitted a draft decision under the GDPR against video-sharing platform TikTok in relation to children’s data protection for consideration by other data protection authorities in the EU.

In that case, the DPC said its inquiry had focused on “processing of child users’ personal data in the context of the platform settings of the TikTok platform, in particular public-by-default processing of such platform settings in relation to users under age 18 accounts and age verification measures for persons under 13”, and that it had also considered “whether TikTok has complied with the GDPR’s transparency obligations in the context of the processing of personal data of users under age 18”.

Amsterdam-based data law expert Andre Walter of Pinsent Masons said: “The DPC is one of the forerunners in Europe in terms of setting the boundaries for processing children’s’ data online. While the UK’s age appropriate design code (AADC) is the first statutory code of practice in the Europe addressing issues of children’s privacy and wellbeing online arising from the use of their data, the DPC has drafted the ‘Fundamentals for a Child-Oriented Approach to Data Processing’. This aligns with the aims of the European Data Protection Board to publish guidelines on children’s data in the coming months (6-page / 204KB PDF) for the whole of the EU.”

Earlier this month, to mark a year since the AADC had full effect, the UK’s Information Commissioner’s Office (ICO) said that the code had resulted in children being “better protected online in 2022 than they were in 2021”. The ICO cited changes the code had prompted some online service providers to take to their services. It also confirmed that it had revised its policy in relation to adult-only services. The ICO now considers those services “in scope” of the code “if they are likely to be accessed by children”.