Irish data watchdog fines Instagram €405 million

Instagram's parent, Meta, intends to file an appeal against the fine

Image:
Instagram's parent, Meta, intends to file an appeal against the fine

It is the second-largest GDPR fine to-date, and deals with Instragram's failure to protect children.

Ireland's Data Protection Commission (DPC) has fined Instagram a record €405 million for violating the General Data Protection Regulation (GDPR) and failing to protect children's data.

The DPC's fine comes after a two-year investigation into the social media platform, which is owned by Meta.

The probe covered complaints that Instagram set all users' accounts to public settings by default, including those of users between the ages of 13 and 17. The probe also dealt with how teenagers with Instagram business accounts - many of them aspiring influencers - were allowed to make their email addresses and phone numbers public.

A spokesperson for the regulator told BBC that the decision to impose a fine against Instagram under the GDPR was made on the 2nd September.

The specifics of the ruling will be made public next week.

Meta disagreed with the decision and said it intended to file an appeal against the fine.

The company said the probe centred on old settings that had been updated more than a year ago, and that it has subsequently introduced additional protections to keep teenagers secure and their information private.

'Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can't message teens who don't follow them,' Meta said.

The firm disagrees with how the fine was calculated and said it was reviewing the ruling.

Commenting on the DPC's decision, Andy Burrows, head of child-safety-online policy for the National Society for the Prevention of Cruelty to Children (NSPCC), called it a "major breach" that had "significant safeguarding implications" and "the potential to cause real harm to children using Instagram."

He added that the ruling highlights how effective enforcement of regulations can safeguard children on social media.

"It's now over to the new Prime Minister to keep the promise to give children the strongest possible protections by delivering the Online Safety Bill in full and without delay."

The fine, the third the Irish regulator has imposed on a Meta-owned firm, is the second-highest imposed under the GDPR after a €746 million penalty against Amazon last year.

Also last year, the DPC fined Meta €225 million in relation to its messaging app WhatsApp; and in March, a penalty of €17 million after the DPC held an inquiry into data breach notifications on Facebook.

The Instagram fine is the latest in a series of steps taken by regulators in the US and Europe to limit what data is gathered and shared by companies on teens online.

The data children generate on social networking platforms, online video games, and other internet services are the focus of policymakers' efforts to improve data protection.

European legislators this year introduced more regulations pertaining to children. This includes the Digital Services Act, which bars companies from using specific data to personalise ads shown to under-18s.

Last week, the Californian state senate approved a law, which could go into effect in 2024, which would require many online services to bolster child safety measures.

In the UK, changes to social networking sites were brought in to safeguard childrens' privacy after the Children's Code, also known as an age-appropriate design code, was passed into law last year.