DPC issues €405 million GDPR fine to Instagram

Instagram gets 405 million euro GDPR fine

On 15 September 2022, the Irish Data Protection Commission (DPC) issued a final decision and imposed a €405 million fine on Instagram– a social media platform owned by Meta, for violations of the General Data Protection Regulation (GDPR) regarding the processing of children’s data.

Investigation

On 21 September 2020, the DPC initiated an investigation related to child users of Instagram in response to information provided by US data scientist David Stier and in connection with other issues identified by the DPC after examination of the Instagram user registration process.

The investigation examined the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.

Decision

Following the investigation, the DPC submitted a draft decision to all relevant data protection authorities in the EU. Six of these national regulators raised objections to the DPC’s draft decision.

The DPC was unable to reach a consensus and therefore, referred the case to the European Data Protection Board (EDPB), in line with the Article 65 dispute resolution process of the GDPR.

The EDPB adopted its binding decision, which rejected a considerable number of objections but upheld objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fines including the additional infringement of the GDPR.

Having incorporated these amendments, the DPC’s decision was adopted, which included infringements of:

Fine

The DPC’s original draft decision had recommended a fine of up to €405 million and, having taken account of the EDPB’s binding decision, the fine imposed on Meta Platforms totals €405 million, including a fine of €20 million for the infringement of Article 6(1).

In addition to these administrative fines, the DPC has also reprimanded and ordered Meta Platforms to take necessary measurements to bring its processing into compliance.

Meta’s response

Meta commented that the violation is regarding their old settings updated a year ago regarding the privacy of Instagram users under 18 (you have to be at least 13 to have an Instagram account).

According to Meta, new Instagram settings are focused on keeping children safe and their information private making their accounts automatically private when they join Instagram, and adults can’t message teens who don’t follow them.

This is the third penalty for Meta and the second largest GDPR fine to this day, surpassed only by the €746 million fine issued to Amazon in 2021.

Read the entire DPC’s press release.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top