Record Fine Imposed on Instagram owner Meta for GDPR Infringement

On 2 September 2022, the Data Protection Commission (DPC) issued an administrative fine of €405m to Instagram owner, Meta Platforms Ireland Limited (Meta) (September 2022 fine).  The September 2022 fine takes account of the decision of the European Data Protection Board (EDPB) requiring the DPC to amend its originally recommended fine for Meta of up to €405m.

The September 2022 fine is the second-highest fine administered by any EU data protection authority under the GDPR to date.  The highest being the €746m fine levied on Amazon by Luxembourg’s DPA in July of last year.  It is however, the highest fine levied on Meta under the GDPR and the largest fine issued to date by the DPC.  It is also the third fine to be issued to a Meta-owned company by the DPC (there was the €225m fine for Whatsapp in 2019 and the €17m fine for Meta Platforms Ireland Ltd (Facebook) earlier this year). There are at least six other DPC investigations into Meta-owned companies in the pipeline.

Meta has said that it intends to appeal the DPC’s ruling.

DPC inquiry pre-September 2022 fine

The DPC’s inquiry began two years prior to the September 2022 fine and concerned breaches relating to the processing of children’s data.  It was initiated in response to information provided by a US data scientist and issues identified by the DPC with Instagram’s user registration process.  In particular, the inquiry focused on the public disclosure of children’s contact details when they used Instagram’s business accounts and the default setting of children’s personal Instagram accounts to ‘public’.

EU coordination of GDPR enforcement

Following its inquiry, the DPC, as lead supervisory authority responsible for overseeing Meta, prepared a draft decision which was shared with all other EU regulators.  Six regulators disagreed with the draft decision; Finland, France, Germany, Italy, the Netherlands, and Norway issued objections under Art. 60(4) GDPR. The DPC was unable to reach a consensus with these regulators on the subject matter of the objections. As a result, the DPC was required to ask the European Data Protection Board (EDPB) to adopt a binding decision under the Article 65 dispute resolution mechanism.

On 28 July 2022, the EDPB adopted a binding decision rejecting a “considerable quantity of the objections but [upholding] objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fine on [that] basis” (according to the September 2022 DPC press release).  The EDPB found that, as the processing of children’s data was not necessary for the performance of a contract or Meta’s legitimate interests, Meta infringed Article 6(1) by processing this personal data unlawfully without an appropriate legal basis.

The September 2022 fine, taking account of the EDPB decision, includes a fine of €20 million for the Article 6(1) infringement.  In addition to the fine, the DPC has imposed a reprimand and an order requiring Meta to bring its processing into compliance by taking a range of remedial actions.  Notably, however, the issues in respect of which the September 2022 fine was imposed are mostly legacy issues as since September 2019, Instagram accounts of users aged under 18 are automatically set to ‘private’ when they join the platform.

Conclusion

The EDPB Chair noted the historic nature of the decision as the “first EU-wide decision on children’s data protection rights”.  For companies, the decision should serve to highlight the rigorous data protection standards to be applied to the protection and processing of children’s data.

For further information and data protection insights please contact John O’Connor or Michelle Daly.

Contributed by Kate Sullivan