Instagram Receives New Fine of €405m for GDPR Violations
As the latest social media company to be fined for violating the personal privacy of its respective users, news broke this week that the popular photo and video-sharing platform Instagram was being fined €405m ($403 million) for violating Ireland’s Data Protection Act (DPA) of 2018. As the country of Ireland is one of the many nations that comprise the European Union, the DPA of 2018 was enacted for the purpose of implementing the numerous provisions of the General Data Protection Regulation (GPDR) into Irish law, effectively mandating that businesses and organizations adhere to strict requirements when selling products and services to the millions of citizens that make up the country.
To this last point, the fine that Ireland’s Data Protection Commissioner (DPC) recently imposed against Instagram was in relation to the company’s alleged inability to protect the personal information of minors that have been utilizing the social media platform within the nation over the past several years. As stated in a Reuters article that was written concerning the matter on August 6, 2022, “The investigation, which started in 2020, focused on child users between the ages of 13 and 17 who were allowed to operate business accounts, which facilitated the publication of the user’s phone number and/or email address.”
Likewise, Ireland’s DPA of 2018 states that the “digital age of consent for Ireland is 16 years. Therefore, 16 years is the minimum age at which a child may provide their consent to the processing of their personal data in respect of information society services.” For this reason, Instagram would have had to obtain consent from the parents or guardians of any users of their platform within the country of Ireland that were under the age of 16, as a failure to do so would essentially comprise a violation of the data protection and personal privacy rights of these underaged individuals. Moreover, this legal requirement is by no means unique to the nation of Ireland, as many other EU nation-states also place similar restrictions on the personal data of minors.
Nevertheless, as Instagram is undoubtedly one of the most widespread social media platforms around the globe at the moment, the data collection and retention practices that led to monetary fines within the country of Ireland would have been deemed as perfectly legitimate and many other parts of the world. For comparison, America’s foremost data privacy law pertaining to the protection of minors, the Children’s Online Privacy Protection Act (COPPA) works to give parents within the U.S. the means to monitor and regulate the online usage of their children. However, in spite of the fact that many businesses have received massive monetary fines for violating the COPPA in recent years, the data privacy landscape within the U.S. is far less stringent than that of the EU.
Alternatively, in response to the allegations of privacy violations and the subsequent fines that were imposed against Instagram, a spokesperson for Meta, the parent company of the social media platform, released a statement that said “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision.”
For context, representatives that work for Instagram have publicly stated that while users had the ability to submit their own contact information when creating business accounts on the social media platform prior to September 2019, any user under the age of 18 that has created any type of account via the online platform after this date will have their account set to private automatically after they sign up. Nevertheless, Ireland’s DPC has maintained that Instagram’s inability to protect the personal information of the minors that use their platform signified a violation of the nation’s DPA of 2018. Furthermore, the DPC has also stated that additional information concerning the factors that led to the decision to fine Instagram hundreds of millions of dollars will be released to the general public in the upcoming week.
While the EU’s GDPR was passed in 2016 and went into effect two years later in 2018, it obviously takes a certain amount of time to adequately investigate a major online platform such as Instagram with regard to alleged violations of personal privacy. For this reason, major enforcement decisions against businesses and corporations that operate within the EU have not been forthcoming as of 2022, due in part to the inherent ways in which major technology companies such as Meta collect, retain, and disclose personal information in the first place. Nonetheless, the fine that was imposed against Instagram by Ireland’s DPC this week will surely put other businesses around the world on notice as it pertains to data privacy within Europe.