bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

Irish Data Protection Regulator Fines Instagram €405 Million For Child Data Infringements

29 September 2022

Earlier this month (September 2022) Meta Platforms Ireland Limited (a subsidiary of Meta Inc (owner of numerous social media sites including Facebook, Instagram and WhatsApp) was fined €405 Million by Ireland’s Data Protection Commission (“DPC”) following an investigation into their handling of children’s data on Instagram, the fine being one of the largest of its kind issued by the regulator.

Following an investigation by the DPC ongoing since September 2020 it was found that the platform was in breach of the Data Protection Act 2018 (Ireland’s method of implementing the EU GDPR regulations introduced in 2016) specifically relating to users of the platform aged 13 – 17.

    Paul Motion

 Paul Motion
Partner

    Jamie Stewart

 Jamie Stewart
Trainee Solicitor

Failures were identified in 2 key areas, those being:

  • Meta, through Instagram, were allowing child users to open and use “business accounts” which automatically publicised or facilitated the publication of sensitive data to all other users of the platform (DPC using the wording “the world at large”) including a child’s phone number and/or email address; and
  • The Instagram platform operates a user registration system where accounts of all users, including children, is set to “public” by default – automatically making the posts and details of a user public in the absence of user changes within app settings. In order to change this and make the information private the user is required to access account privacy settings and change them from “public” to “private”.

Meta are currently in the process of appealing the decision stating that numerous updates have been brought to the Instagram platform designed to better safeguard the data of children and young adults. At the date of writing there has been no further information about the details of the appeal.

This is not the first time a tech giant has faced sanctions from the Irish data protection regulators who are in charge of policing the actions of numerous large tech firms with European headquarters based in Dublin (including Meta, Apple and Google). Another example being WhatsApp (the messaging service owned by Meta) who faced a fine of €225 Million by the DPC in 2018 for failing to provide the required data processing information to service users required under the EU GDPR Regulations.

What Does it Mean

While the UK GDPR Regulations are separate from those of the EU they draw heavily on the provisions of the European regulation. This means that tech giants operating in the UK should not only be aware of the provisions of UK regulation but decisions taken by European regulators in big data matters like that faced by Instagram and other social media platforms.

The regulator found that the actions of Instagram had breached Articles 6 (Lawful Processing), 5 (Principles Relating to Processing of Personal Data, particularly relating to lawfulness, fairness and transparency and data minimisation), 12 (Transparency for the Exercise of Rights of Data Subjects), 24 (Responsibility of Controller), 25 (Data Protection by Design and Default) and, 35 (Data Protection Impact Assessments) of the European Data Protection Regulations as implemented in the Ireland.

It is estimated that around 8 – 10% of Instagram’s 1.2 Billion users fall into the age bracket of 13 – 17. However, it is important to note that GDPR regulations apply to all, not only children, and users should be aware of the data held by social media platforms (particularly that which is available to the wider public). Data controllers like social media sites are under strict obligations to safeguard the rights of their users and “data subjects” but steps can be taken to effectively manage your own data on social media and simple steps like setting accounts to “private” are highly effective methods of managing your own data and ensuring your personal information is kept as safe as possible in what can easily be a very public forum.

There is no set age at which a child is generally considered to be competent to provide their own consent to data processing. If this question arises, the answer depends on an objective assessment of the child's capability and understanding. However in Scotland unlike the rest of the UK, children aged 12 or over are automatically presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown.

The full decision of the Data Protection Commission of Ireland can be read here.

If you would like more information on GDPR or would like assistance in understanding how your data is being managed please contact a member of the BTO Data Protection team on 0131 222 2939.

Paul Motion, Partner and accredited Specialist in Data Protection and FOI Law: prm@bto.co.uk / 0131 222 2932

Jamie Stewart, Trainee Solicitor: jgs@bto.co.uk / 0131 222 2939

Related Links

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO

Glasgow

  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803

Edinburgh

  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949

Sectors

Services