On Monday, tech giant Instagram received a whopping €405 million fine from Irish regulators for violating children’s rights. Following a long-running complaint, Instagram is judged to have caused a data breach by allowing children to set up a business account, which means their personal data are automatically displayed to the world. An oversight that may prove costly.
So, what is the problem? Instagram has allowed children between 13 and 17 to create and operate business accounts. And while you might wonder why they would bother changing their normal profile to a business one, the answer is straightforward: it allows them to gain access to some useful and interesting analytics tools, such as a detailed overview of page visits. However, what these youngsters might not realise is the fact that by switching to a professional account, their personal data (such as telephone number and email address) is processed and by default shared publicly. This was not made clear to Instagram’s users, according to the DPC (Data Protection Commission, the Irish supervisory authority).
Where did it go wrong
The DPC, with help of the European Data Protection Board (EDPB) coordinating a decision-review process with other interested EU data protection authorities, ruled that by allowing this Instagram has infringed upon GDPR. On one hand, GDPR requires strong technical and organisational measurements, including privacy by design and default. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can’t message teens who don’t follow them”, a spokesperson for Meta (Instagram’s mother company) told BBC. However, when turning the account into a business account, the account becomes public by default – a flaw in the system.
On the other hand, GDPR also includes very strong provisions to protect children and their personal data. “The principle of accountability under GDPR requires organisations to take appropriate steps to determine in the first instance whether they are collecting the personal data of children and thereafter, to ensure that they comply with the higher standards of protection required of controllers under the GDPR with regard to the processing of children’s data” (p10). An example of this accountability: ensuring that children are addressed in a clear language that they can understand (and avoiding that their data is processed and shared with the world unknowingly).
Fat fines
The GDPR is one of the world’s strictest data protection laws, with over 1000 fines, from major to minor, issued since coming into force in 2018. Even though this is not the highest fine to date (€746 million for Amazon in 2021), it is the biggest one tech giant Meta has had to deal with yet, surpassing the €225m punishment Instagram’s brother WhatsApp received in September 2021 for infringing on privacy regulations, ranking as the second highest fine at that point. Meta has already released a statement saying it will appeal the DPC’s decision, as according to them it is based on old settings that have been updated more than a year ago with new features to keep underage users and their data safe. Yet, besides the issued fines, the DPC alone has no less than six other investigations into Meta-owned companies in the pipeline. To be continued…