RegSol Blog

Instagram Fined record €405 million for Breach of Children's Data Rights

September 2022

On the 2nd September 2022, Instagram (owned by Meta, formerly known as Facebook), was fined €405 million by the Data Protection Commission (“DPC”) for breaches of the GDPR after a two-year investigation into how the social media platform handles children’s data.

It is the largest fine ever imposed by the DPC and once it has been paid, the money will go to the Irish exchequer. It is also the third fine for a Meta-owned company handed down by the DPC.

The fine, which is the second largest GDPR penalty to ever be handed down (Luxembourg’s data protection authority (CNPD) fined Amazon a record €746 million for non-compliance in July), covers alleged violations stemming from Instagram's default account settings for children ages 13-17.

Recital 38 of the GDPR highlights that where children’s data is used to create user profiles, specific protections should apply since children may be less aware of the risk, consequences and safeguards and their rights in relation to the processing of data.

The breaches concerning Instagram related to:

  1. Teenage users aged 13-17 being allowed to operate ‘business accounts’ on Instagram, which resulted in the publication of their phone numbers and email addresses.

  2. All accounts, including the accounts of teenage users, were set to public by default, unless the user affirmatively changed the privacy settings.

The investigation into the allegations began in October 2020 and the preliminary decision by the DPC was subject to a dispute resolution procedure under Article 65 of the GDPR. After submitting a draft decision for consideration by its peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), in December 2021, six of them raised objections. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB rejected some of the concerns, but upheld objections requiring the DPC to amend its draft decision to include an additional finding of infringement. The DPC's original draft decision had recommended a fine of up to €405m. The final penalty of €405m included a fine of €20m for an additional infringement that the DPC was asked to include.

In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.

EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

Instagram has indicated it intends to appeal the decision.

For further details on the DPC’s decision, you can click on the following link:

Data Protection Commission announces decision in Instagram Inquiry