Highlights:
- A DPC representative acknowledged the fine and stated that further information regarding the judgment would be available next week.
- According to Politico, this is the second-largest fine imposed by Europe’s GDPR legislation and the third-largest sanction imposed on Meta by the regulator.
Ireland’s data protection authority has fined Meta Platforms Inc. 405 million euros – USD 402 million – after deciding that Instagram did not comply with the General Data Protection Regulation (GDPR) privacy rules. The Irish Data Protection Commission levied the penalty for Instagram’s handling of children’s privacy settings that violated GDPR.
According to Politico, this is the second-largest fine imposed by Europe’s GDPR legislation and the third-largest fine imposed on Meta by the regulator.
A DPC representative acknowledged the fine and stated that further information regarding the judgment would be available next week. The penalty results from the picture-sharing app’s privacy settings on accounts run by children. The DPC was looking into children’s usage of business profiles on Instagram, which made personal information like email addresses and phone numbers available publicly. The probe also looked at Instagram’s policy of making all new accounts publicly visible by default, including those of minors.
According to Reuters, Meta permitted youngsters aged 13 to 17 to create business profiles on Instagram. The settings of such business accounts allegedly allowed the release of individuals’ phone numbers and email addresses.
The DPC began investigating the probe in 2020 and published a draft judgment before announcing the USD 402 million fine. According to reports, other European Union data protection officials did not accept the proposed ruling instantly. As a result, the DPC initiated a so-called dispute-resolution procedure in which it solicited feedback on the probe from several other EU regulatory authorities.
Meta spokesperson told Politico, “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry and carefully reviewed their final decision.”
Since Meta’s EU headquarters are based in Ireland, DPC is responsible for conducting GDPR inquiries related to Meta. The fine disclosed this time is the third levied by the DPC to Meta since the implementation of GDPR.
Previously, in March, the regulator penalized Facebook USD 18.7 million for GDPR violations relating to its cybersecurity measures. Meta was fined USD 267 million by the DPC after the latter discovered that the WhatsApp unit’s privacy policies fell short of legal criteria. According to DPC investigators, WhatsApp failed to offer consumers adequate information about how it gathers and analyses personal data.
Meta’s privacy practices have also come under criticism in the United States. Last month, the business proposed to pay USD 37.5 million to settle a lawsuit that accused it of illegally gathering users’ location data. In February, Meta paid USD 90 million to resolve another complaint over data harvesting tactics.