September 6, 2022 – Instagram has been fined a staggering $400 million by the Irish Data Protection Commission (DPC) for violating teens’ privacy.
The DPC slapped parent organisation Meta with the penalty after concluding a two-year investigation into the company’s potential breaches of the European Union’s General Data Protection Regulation (GDPR). Meta allowed young users aged between 13 and 17 to sign up on Instagram with business accounts, which displayed their phone numbers and email addresses publicly. The investigation found that a user registration system on Instagram set the accounts belonging to minors to “public” by default.
“We adopted our final decision last Friday and it does contain a fine of €405m ($400m),” said a DPC spokesperson. “Full details of the decision will be published next week.”
Meta is planning to appeal against the fine, saying it disagrees with how it was calculated.
“This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson said. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can’t message teens who don’t follow them.”
This is the second largest fine handed out by the DPC to a tech corporation. In July last year, it fined Amazon $886 million over GDPR violations. However, the penalty is the highest slapped on Meta by the Irish watchdog, which fined Meta $266 million in September 2021 for “severe” violations of the GDPR at WhatsApp.
Also in March, Meta was fined $19 million following the conclusion of its inquiry into Facebook’s data breaches between June 7, 2018 and December 4, 2018. Around 50 million accounts were reportedly impacted, including by a software bug that enabled external developers to access photos of millions of users. Meta responded by saying that “this fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information”.
