3 October 2022

Instagram has lately been fined €405 million by the data protection authority of Ireland for breaching data protection laws. Instagram was also ordered to change its methods of personal data processing. The decision is expected to be appealed by Meta which is the company which owns social media companies Instagram and also Facebook. Meta claims disagreement with the way the imposed fine was calculated.

While awaiting final decision and the confirmation of last year’s outline of intention by Luxembourg’s data protection authority to fine Amazon with €746m, this decision about Instagram is the second biggest issued under the EU General Data Protection Regulation (GDPR) to date.

Instagram was investigated mainly on two issues:

  1. Teen users between the ages of 13 and 17 were permitted to manage “business accounts” on Instagram, which led to the public release of the individuals’ contact information. This probably would not have been a problem if these users had been adults. However, this should serve as a reminder to proceed with extra caution while handling children’s data. In light of the possibility that children may be less aware of the risks, consequences, and safeguards as well as their rights in regard to the processing of their data, Recital 38 of the GDPR emphasizes the need for additional protections where children’s data is used to establish user profiles.
  2. All accounts, even those of adolescent users, had their privacy settings set to public by default until the user specifically modified them. According to Meta’s reply, these settings have since been changed, and when individuals under the age of 18 sign up for Instagram, their accounts are now automatically turned to private. According to the GDPR, data protection must be incorporated into all processing operations by default and by design. The DPC’s “Children Front and Center: Fundamentals for a Child-Orientated Approach to Data Processing” advice also emphasizes the significance of making sure the strongest privacy settings are in place by default.

The Data Protection Commission (DPC) issued this fine to Instagram following input from data protection authorities in other EU member states and a decision of the European Data Protection Board (EDPB). The DPC said its inquiry had “examined, in particular, the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children”.

It also said that Instagram had infringed GDPR principles concerning the lawful, fair and transparent processing of personal data, and ‘data minimisation’ – where organisations are required to ensure that their processing of personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The sanctions imposed also reflect other findings of GDPR infringement, including specific rules governing the lawfulness of personal data processing and the provision of transparent information to data subjects.

Instagram was also deemed to be in breach of GDPR provisions that required it implement appropriate technical and organisational measures to ensure and to be able to demonstrate that its processing was performed in accordance with the legislation, as well as other provisions aimed at ensuring data protection is built into the way products and services are designed, and in relation to data protection impact assessment obligations.