Ireland’s personal data regulator has imposed a 400 million euro fine on Instagram. In question: defects in the protection of the data of minors.
The penalty is now among the highest sanctions taken under the General Data Protection Regulation (GDPR). On September 5, 2022, the American media Politico learned of the decision of the Irish regulatory authority (DPC) to impose a fine of 405 million euros on Instagram, the subsidiary of Meta – and incidentally the parent company of Facebook and WhatsApp .
Accounts transformed into pro profiles, whose data became public
At the origin of the problem, the way in which the personal data of minor Internet users were managed by the social network dedicated to sharing photos and videos. The offenses relate to the dissemination of emails and telephone numbers – sensitive contact information. These elements were publicly visible.
Instagram allows the registration of Internet users who are between the ages of 13 and 18. Its terms of use, on the other hand, are opposed in principle to the presence of younger children. But this registration is often challenged by younger minors, who lie about their age when creating their account. Instagram is trying to prevent these arrivals, without succeeding completely.
But in this case, the concern is that some minors have transformed their standard Instagram account into a professional account. The tools to transform a profile were too easily accessible. When the complaint against the site was filed, at the end of 2020, it was estimated that 5 million children had their data exposed.
The height of the sanction decided by the Irish counterpart of the National Commission for Computing and Liberties (Cnil) took into account the nature of the victims, the scale of the problem and the number of breaches of the GDPR. It is in second position for the strongest penalties, after that targeting Amazon – 746 million euros in July 2021.
The matter may not end there, with Meta retaining the ability to appeal the regulator’s verdict. In Politico, the company also appeared to regret that the DPC did not take into account the most recent security changes to ensure the protection of children and that it continued its investigation “ on old settings […] updated over a year ago “.