To print this article, all you need is to be registered or login on Mondaq.com.
Meta-owned Instagram has been fined €405 million by the
Irish Data Protection Commission (DPC) for violations of the EU
General Data Protection Regulation (GDPR), following a two year
investigation into how the social media platform handles
children’s data. This is the largest fine imposed by the DPC to
date. Below, we highlight some of the key issues arising in the
What was the breach?
The investigation into Instagram was centred on two issues:
- Teenage users aged 13-17 were allowed to operate ‘business
accounts’ on Instagram, which resulted in the publication of
the users’ phone numbers and email addresses. If these
had been adults, this likely would not have been
an issue. Nonetheless, this serves as a reminder to use additional
caution when dealing with children’s data. Recital 38 of the
GDPR highlights that where children’s data is used to create
user profiles, specific protections should apply since children may
be less aware of the risks, consequences and safeguards and their
rights in relation to the processing of their data.
- All accounts, including the accounts of teenage users, were set
to public by default, unless the user affirmatively changed the
privacy settings. Meta has commented that these settings have since
been updated and users under 18 now automatically have their
account set to private when they join Instagram. The GDPR requires
privacy by design and default, meaning that data protection should
be integrated into a business’s processing activities.
Additionally the DPC’s guidance “Children Front and
Centre: Fundamentals for a Child-Orientated Approach to Data
Processing” highlights the importance of ensuring the
strictest privacy settings apply by default
Full details of the reasons behind the decision are expected to
publish next week. Meta is said to disagree with the way the fine
has been calculated and plans to appeal the decision.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from European Union