Ireland’s data watchdog issues Instagram with 405 million euro fine

Ireland’s data protection watchdog has made a decision to fine Instagram 405 million euro over the way in which it handled teenagers’ personal data – the largest fine the authority has ever issued.

Instagram’s parent company Meta said in a statement that it plans to appeal against the decision.

The Data Protection Commission (DPC) began an inquiry in September 2020 in relation to how the social media giant processed the details of teenage minors on Instagram accounts.

The inquiry looked at a process by which users aged between 13 and 17 were allowed to operate business accounts on Instagram, which in some cases allowed, or required, children’s phone numbers and/or email addresses to be made public.

It also examined a process where the registration system for Instagram resulted in children’s accounts being set to “public” by default, which made the content uploaded by child users public, unless the Instagram profile was set to private by changing the account settings.

A DPC spokesman said in a statement to the PA news agency: “We adopted our final decision last Friday and it does contain a fine of 405 million euro.”

It is understood that the social media giant will be given a week to respond to the DPC’s decision, as part of the process.

“Full details of the decision will publish next week,” the spokesman added.

A Meta spokeswoman said in a statement to PA: “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.

“We’re continuing to carefully review the rest of the decision.”

In September 2021, Facebook-owned messaging service WhatsApp was hit with a fine of 225 million euro by the DPC for breaching European Union laws on transparency, and the sharing of user information with other companies owned by Facebook.

This was the largest fine issued by the DPC before the Instagram fine issued on Monday.

The DPC fine issued to WhatsApp was also appealed against.

There have been increasing calls to better resource Ireland’s DPC, which is the de facto lead EU watchdog of data protection and privacy rules due to a large number of tech multinationals – including Facebook, Apple and Google – basing their European headquarters in Dublin.

In July, the Irish Government announced that two additional data protection commissioners would be hired, and that the current commissioner, Helen Dixon, would be promoted to chairwoman of the DPC.

It said that this was being done in response to “the increased working burden and investigative complexity has been regularly highlighted”.