Instagram Receives New Fine of €405m for GDPR Violations

September 07, 2022 | 4 minutes read
Instagram Receives New Fine of €405m for GDPR Violations

As the latest social media company to be fined for violating the personal privacy of its respective users, news broke this week that the popular photo and video-sharing platform Instagram was being fined €405m ($403 million) for violating Ireland’s Data Protection Act (DPA) of 2018. As the country of Ireland is one of the many nations that comprise the European Union, the DPA of 2018 was enacted for the purpose of implementing the numerous provisions of the General Data Protection Regulation (GPDR) into Irish law, effectively mandating that businesses and organizations adhere to strict requirements when selling products and services to the millions of citizens that make up the country.

To this last point, the fine that Ireland’s Data Protection Commissioner (DPC) recently imposed against Instagram was in relation to the company’s alleged inability to protect the personal information of minors that have been utilizing the social media platform within the nation over the past several years. As stated in a Reuters article that was written concerning the matter on August 6, 2022, “The investigation, which started in 2020, focused on child users between the ages of 13 and 17 who were allowed to operate business accounts, which facilitated the publication of the user’s phone number and/or email address.”

Ireland’s DPA

Likewise, Ireland’s DPA of 2018 states that the “digital age of consent for Ireland is 16 years. Therefore, 16 years is the minimum age at which a child may provide their consent to the processing of their personal data in respect of information society services.” For this reason, Instagram would have had to obtain consent from the parents or guardians of any users of their platform within the country of Ireland that were under the age of 16, as a failure to do so would essentially comprise a violation of the data protection and personal privacy rights of these underaged individuals. Moreover, this legal requirement is by no means unique to the nation of Ireland, as many other EU nation-states also place similar restrictions on the personal data of minors.

Nevertheless, as Instagram is undoubtedly one of the most widespread social media platforms around the globe at the moment, the data collection and retention practices that led to monetary fines within the country of Ireland would have been deemed as perfectly legitimate and many other parts of the world. For comparison, America’s foremost data privacy law pertaining to the protection of minors, the Children’s Online Privacy Protection Act (COPPA) works to give parents within the U.S. the means to monitor and regulate the online usage of their children. However, in spite of the fact that many businesses have received massive monetary fines for violating the COPPA in recent years, the data privacy landscape within the U.S. is far less stringent than that of the EU.

Instagram’s response

Alternatively, in response to the allegations of privacy violations and the subsequent fines that were imposed against Instagram, a spokesperson for Meta, the parent company of the social media platform, released a statement that said “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision.”

For context, representatives that work for Instagram have publicly stated that while users had the ability to submit their own contact information when creating business accounts on the social media platform prior to September 2019, any user under the age of 18 that has created any type of account via the online platform after this date will have their account set to private automatically after they sign up. Nevertheless, Ireland’s DPC has maintained that Instagram’s inability to protect the personal information of the minors that use their platform signified a violation of the nation’s DPA of 2018. Furthermore, the DPC has also stated that additional information concerning the factors that led to the decision to fine Instagram hundreds of millions of dollars will be released to the general public in the upcoming week.

While the EU’s GDPR was passed in 2016 and went into effect two years later in 2018, it obviously takes a certain amount of time to adequately investigate a major online platform such as Instagram with regard to alleged violations of personal privacy. For this reason, major enforcement decisions against businesses and corporations that operate within the EU have not been forthcoming as of 2022, due in part to the inherent ways in which major technology companies such as Meta collect, retain, and disclose personal information in the first place. Nonetheless, the fine that was imposed against Instagram by Ireland’s DPC this week will surely put other businesses around the world on notice as it pertains to data privacy within Europe.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Embarrassing Redaction Failures & How To Prevent Them
July 24, 2023 | 4 minutes read
Embarrassing Redaction Failures & How To Prevent Them

From exposing trade secrets to endangering operations by the National Security Agency, redacting documents incorrectly can lead to a lot of headaches.

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
Graphics Cards, Why Choosing The Right One Matters
June 19, 2023 | 7 minutes read
Graphics Cards, Why Choosing The Right One Matters

In the same way the conductor brings together different musicians and their instruments to create an enchanting symphony, graphics cards orchestrate the diverse elements of computer graphics to bring digital visuals to life.

Learn More »