The Data Protection Commission (DPC), the Irish supervisory authority for the General Data Protection Regulation (GDPR), has slapped Meta-owned Instagram with a €405 million (around $402 million) fine for mishandling of children’s data including their email addresses and phone numbers.
The €405 million fine is the second-highest penalty imposed for GDPR violations after Luxembourg’s regulators fined Amazon €746 million last year for processing data it shouldn’t have. This is the third (and largest) fine imposed by the Irish regulator on a Meta-owned company.
“We adopted our final decision last Friday and it does contain a fine of 405 million euro,” said the spokesperson for Ireland’s Data Protection Commissioner (DPC), the chief regulator of Instagram’s parent company Meta Platforms Inc. However, the complete details of the decision will be released next week, the spokesperson added.
The Irish DPC began its investigation of Instagram back in 2020, which focused on the “appropriateness” of the Instagram profiles, account settings for children between the ages of 13 and 17, and the firm’s “responsibility to protect the data protection rights of children as vulnerable persons”. The minimum age for Instagram users is 13.
Instagram allowed teenagers from these age groups to sign up for the service as a business or a creator account, which required them to share their contact information, including phone numbers and email addresses.
During the investigation, the DPC discovered that the social media platform, which featured a user registration process had accounts of users between the ages of 13 and 17 automatically set to “public” until last summer.
This resulted in the social media content of teenagers being made public unless the account was otherwise set to private by changing the account’s privacy settings. As a result, it led to the publication of children’s phone numbers and/or email addresses, which made them contactable by adults, and easy targets for advertisers among other safety concerns.
A Meta spokesperson said that the company updated the public-by-default setting on the Instagram app more than a year ago and has even added more safety features for teenagers.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them,” the Meta spokesperson said in a statement.
“We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.” The spokesperson said Instagram disagrees with how the fine was calculated and is planning to appeal against it.
The Irish DPC has still another six investigations into Meta-owned companies in the pipeline for which it has not provided any details related to the inquiry or fine.