The Irish Data Protection Commissioner (DPC) has issued its largest ever fine of €405 million to Meta Platforms Limited (Ireland) (Meta) (the owner of Instagram) for its violation of the EU General Data Protection Regulation’s (GDPR) rules on processing children’s personal data. The fine is the first EU-wide decision on children’s data protection rights and the second largest to be issued by an EU regulator, after Luxembourg’s regulators issued a fine of €746 million last year.
Context of the fine
The fine issued to Meta concludes a two year ongoing investigation into Instagram’s activities, which was initiated due to concerns around its approach to handling data of child users’ (ages 13 – 17), specifically in relation to user registration and default settings of certain accounts.
In addition to the DPC’s own concerns, the investigation progressed after a data scientist in the US reported that users, including those under 18, who were switching to business accounts had their contact information publicly displayed on their profiles. The switch made by users to business accounts was so that those users were able to gather statistics such as how many times their profiles were viewed and the ages and locations of followers.
What is the role of the DPC?
The DPC, Ireland’s national data protection authority, is the appointed supervising body for companies with their European headquarters in Ireland. As a result, it is responsible for protecting the data privacy rights of billions of EU citizens in relation to large tech companies such as Google, Apple and Microsoft who have based their European operations in Dublin. The DPC is responsible for the enforcement of GDPR in Ireland.
The DPC has previously conducted a number of other inquiries into Meta-owned companies (such as Facebook and Whatsapp) and has already issued three fines against the US tech giant. The latest action was taken against WhatsApp which the DPC fined €225 million for breaching rules on transparency about sharing personal data between various Meta-owned companies.
Why was Meta fined?
The DPC found that Meta had not complied with multiple provisions of GDPR by:
- Failing to process data in a way which was fair and transparent;
- Failing to establish a legal basis for processing the contact information data;
- Failure to use clear and plain language in relation to the purposes of the data processing;
- Lack of appropriate technical and organisational measures regarding the purpose of processing
- Failure to conduct a Data Protection Impact Assessment where processing was likely to result in high risk to rights and freedoms to data subjects (child users)
In this case, European regulators from five different member states (France, Germany, Finland, Italy, the Netherlands and Norway) all raised objections to the DPC’s draft decision, which resulted in the matter being referred to the European Data Protection Board (whose role includes ensuring that the application of GDPR is consistent across the EU) triggering an Article 65 dispute resolution decision. Although many of the objections were rejected by the EDPB, the decision upheld the DPC’s initial recommendation to impose a fine of €405m, albeit requiring €20m to be apportioned for the infringement of Article 6(1) – being failure to establish a legal basis for processing contact information of users. A similar situation occurred (albeit involving different EU member states) in relation to the DPC’s investigation last year into breaches by WhatsApp, whereby the initial proposal of a €30 - €50 million fine was increased to €225 million.
Next steps and key takeaways
Meta has said that it is planning to appeal the fine, noting that it has full cooperated with regulators during the investigation. It also clarified that it incorporated changes to the default settings last year, along with the addition of new features to ensure the safety and protection of younger users’ data.
This fine, especially when considered together with previous DPC decisions and those issued by other data protection authorities around Europe, indicates that fines for breaches of data protection under GDPR may become more frequent and more significant. Therefore, it is imperative that businesses ensure that their systems and procedures are GDPR compliant from the outset, and are aware that this is closely monitored.
The scale of this decision also reflects the strong emphasis which regulators are placing on the commitment to strengthening the protection of children online. This is also clear from the focus placed on measures to protect children online as part of the upcoming UK Online Safety Bill, which we have written about here.