top of page
Writer's pictureBahar Şahin

Children's Data: Instagram Fined €405 Million by DPC



The second highest fine is given because of not properly managing children's data rights.


What is meant by "best interest of the child" regarding data protection?


As ICO explained, the best interest of the child comes first. In the United Nations Convention on the Rights of the Child ("the UNCRC") Art. 3, it is simply stated where there is a child subjected to an action, legislators must first, consider the child's best interest. This is applied in all legislative, administrative, and judicial actions. The action can be related to family courts, the protection of the children, and both private and public matters. In this case, the aforementioned action is related to data protection.


As is known to all, children can use social media platforms. So there are different types of good practices to protect children's interests. There are Netflix's kids' accounts to protect children from harmful content such as scenes consisting of violence or drug abuse. Another example would be Snapchat, which is a feature that allows parents to see who their children are talking to on the app. Yet, social media platforms are under serious criticism. Some examples include TikTok, WhatsApp, and Discord. The other notable example is Instagram.

The Application Leading to the Fine


There are two different settings on Instagram. The first one is an account in which the users can share their photos on their profiles and has other features. The second account is the problematic one, the business account. The business account can be used by children and there is no supervision on whether or not the user is a minor.


The business account is public by default which means all the photos and information about the business owner such as phone number and e-mail is open to the public. If young users under the age of 18 set up a business account, their contact information will be publicly available.


GDPR adopts the principle of privacy by design and default. The term "privacy by design" means data protection through the process of technology or software design stage. "Privacy by default" means the data controller ensures that only data strictly necessary for each specific purpose of the processing are processed without the intervention of the user. In the decision, public by default application to the accounts is found to violate GDPR, since there is little to no explanation about business accounts' being public.


Instagram's Fine of €405M


Irish supervisory authority, Data Protection Commission ("DPC"), commenced the investigation on 21 September 2020 and requested information from Meta, Instagram's parent company. DPC provided the "Statement of Issues" which contains problems to be solved in terms of GDPR. Meta provided DPC with responses and an updated version of the Legitimate Interest Assessment. On 11 June 2021, DPC issued a "Preliminary Draft Decision" against Meta IE regarding its processing activities in the scope of the ongoing investigation. After one month, Meta submitted its response to the Preliminary Draft Decision and provided additional submissions regarding Art. 83(3) of the GDPR - which is an article that sets forth the rules on general conditions for imposing administrative fines. Since other supervisory authorities raised objections, on 13 May 2022, DPC initiated the dispute resolution procedure under Article 65(1)(a) GDPR which extended the time for the process.


After nearly two years, a binding decision of the dispute arose on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR was adopted on 28 July 2022. The dispute resolution mechanism intended to


DPC asked numerous questions about complying with the GDPR and protecting young users' data. After lengthy research and several considerations, DPC has found that Instagram violated GDPR.

After the dispute resolution process, European Data Protection Board's ("EDPB") decision was in favor of DPC's decision and affirmed the decision with a few supplemental changes from other supervisory authorities.


On 2 September 2022, DPC finalized and published the decision. According to the aforementioned decision, the fine is given because of 10 different violations which summed up to €405 million.


Significance of the Decision


As it is mentioned, this decision included the second-highest fine in the history of GDPR fines.



"The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online."

 

The facts and figures in this article are based on EDPB's Decision (available here) and the Irish Supervisory Authority/ Data Protection Commission (available here).


Recent Posts

See All

Comments


bottom of page