Instagram Hit With €405M EU Fine for Mishandling Teens’ Data

Close up of Instagram app icon on an iPhone

Ireland’s Data Protection Commission (DPC) levied a €405 million (approximately $403 million) fine on Instagram for mishandling teenagers’ data under EU law. The DPC went after Instagram for policies that put the information, including email addresses and phone numbers, of children and teens at risk.

The commission informed Instagram’s parent company, Meta, of its decision and the fine on Friday, Sept. 2, 2022. It plans to publish the full details of its inquiry this week. However, the exact penalty figure appears to have leaked prior to publication.

“We adopted our final decision last Friday and it does contain a fine of €405 million,” deputy commissioner Graham Doyle told TechCrunch. “Full details of the decision will publish next week.”

What We Know About the DPC’s Instagram Inquiry

The Irish DPC has been engaged in a long-standing investigation into Instagram’s privacy policies concerning children and teenagers, the exact details of which will come out later this week. However, multiple reports state that the DPC focused on the processing of underage customers’ data for business accounts.

Instagram reportedly allowed users, including teens, to upgrade to business accounts, which made more of their information public. This includes information such as phone numbers and email addresses. Furthermore, Instagram’s user registration system for such accounts sets them to “public” by default.

Such lax privacy protections would violate the EU’s General Data Protection Regulation (GDPR), which requires privacy by design measures.

According to Politico, the DPC has at least six more investigations lined up against Meta and its line of companies in the near future. If true, this would signal a change in how the Irish DPC deals with big tech’s alleged privacy transgressions. The DPC has previously come under criticism for not taking action against Google in the recent past.

Meta Plans to Appeal DPC’s Decision

After the DPC’s decision and fine came to light, a Meta spokesperson said the company already intends to appeal the decision. Meta complied with the DPC during the course of the investigation, and said it does not agree with the size of the fine.

“This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson told the BBC.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can’t message teens who don’t follow them. While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.”

Meta introduced changes to its privacy policy earlier this year, also introducing new privacy controls to make it easier for users to manage ads on Facebook and Instagram. In December last year, the company was very vocal about its dedication to privacy and cybersecurity.

These measures hint that the company is invested in regaining the public trust after its reputation took a hammering after years of high-profile incidents concerning user privacy.

Facebook, also under Meta’s umbrella, has faced repeated heavy fines in Italy for its data handling. Back in the U.S., Facebook has constantly battled litigation for its privacy practices, and has had to answer for its role in the wide-spanning Cambridge Analytica scandal.

Largest Fine Against Meta, Third Largest in History

The Irish DPC’s fine is the largest ever levied by a European data protection authority against Meta. Last year, the European Data Protection Board hit the company with a €225 million fine, claiming WhatsApp’s transparency policies fell foul of the GDPR.

This latest fine is the third largest in history, with Amazon holding the distinction of the largest ever fine. In June 2021, Luxembourg’s data watchdog, the CNPD, hit Amazon with a record $887 million fine for violating the GDPR.

If you found this article concerning, we recommend checking out our detailed article about teens’ and kids’ safety on Instagram. We’ve also compiled a guide for securing your Instagram privacy settings, without actually deleting the app.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.