A record fine has been imposed on Instagram by the Irish Cnil. This sanction could never have been imposed without the intervention of a European body.
Without the action of the European Data Protection Board, Instagram might have escaped its record fine of 405 million euros, which became known in early September 2022. The Irish data protection authority had initially had a first reading of the situation which led him to take no sanction against the social network, a subsidiary of Meta (Facebook, WhatsApp).
In this case, it was the configuration of accounts used by children that posed a problem. Some of them had set their profile to a professional account. However, this format makes certain personal data, including telephone numbers and e-mail addresses, public. A complaint had been filed at the end of 2020 and the Irish body had also launched an inspection. But, this one did not give satisfaction.
The Irish CNIL corrects its assessment of the situation
As noted on September 15, 2022 by the National Commission for Computing and Liberties (Cnil), which is the counterpart in France of the Irish authority, the draft decision contained a divergent analysis of the assessment of the European Committee. He therefore had to act to ask the Irish body to modify its text, in order to establish a breach of the General Data Protection Regulation (GDPR). Here, the absence of a legal basis for the processing of personal data of children.
The regulation grants prerogatives to the Committee, which authorize it to adopt legally binding decisions in the event of disputes between supervisory authorities, to establish guidelines and to ensure that the GDPR is applied consistently in the Union. European. Attributes that the Committee mobilized for the very first time, notes the CNIL, precisely because a disagreement emerged between supervisory authorities.
This first intervention by the Committee is a signal not only for the Irish authority, but also for all the digital companies established in Ireland and which were perhaps hoping for a certain magnanimity on its part: other supervisory authorities can quite different story and require greater firmness. And the Committee has the authority to ask the Irish body to better interpret the GDPR.