Facebook owner Meta Platforms is facing a potentially large fine for violating children’s privacy on its Instagram service, months after the company set aside hundreds of millions of euro to cover the cost of regulatory inquiries.
The proposed fine from Irish data regulator Helen Dixon is the first relating to breaches of children’s data rights in a cross-border investigation since she took on pan-European powers in 2018 to enforce the EU’s new privacy regime.
The General Data Protection Regulation (GDPR) was cast as a game-changer in the drive to control how big tech companies use consumers’ personal information, giving Ms Dixon’s Data Protection Commission (DPC) sweeping powers to oversee scores of groups, such as Meta, that base their European headquarters in Ireland. But Ms Dixon’s steps to sanction Meta over the Instagram case have led to a dispute among European data regulators, six of whom have refused to back her proposed penalties. The reasons for the objections raised by regulators in Finland, France, Germany, Italy, the Netherlands and Norway remain unclear.
A separate dispute last year over a data fine on WhatsApp – another Facebook subsidiary – led to the €30-€50 million fine Ms Dixon proposed being increased to €225 million. WhatsApp has appealed that ruling in the courts.
Joe Schmidt: ‘I felt if we could have built on our lead after half time’
‘It doesn’t have to be them or us’: Teachers behind new book of refugees’ stories want to challenge stereotypes
Ed Sheeran and Mary Robinson are right. It’s time to bin Band Aid
Podcast giant Joe Rogan may have played key role in US elections
Efforts to settle the row over Instagram are now under way at the European Data Protection Board, the Brussels-based body responsible for GDPR compliance in the EU and certain non-EU countries.
“The EDPB has received a formal submission with regard to Instagram, which is the first step in the triggering of the dispute resolution mechanism. We are currently assessing the completeness of the file,” the EDPB said in response to questions about the case.
“We continue to engage with the DPC on all relevant matters,” said Facebook in response to questions about the Instagram inquiry. There was no DPC comment.
Ms Dixon’s 2021 annual report said the case “concerns the processing of certain personal data of children by Facebook in the context of the Instagram social networking service, in particular relating to the operation by children of ‘business accounts’ and also certain default settings which were applied to children’s accounts”.
The corporate entity under scrutiny was Facebook Ireland Ltd (Facebook), now Meta Platforms Ireland Ltd. Citing “developments” in regulatory compliance matters, company accounts signed off in October set aside €724 million to cover administrative fines on top of €302 million previously set aside.
The Instagram inquiry is one of a several investigations by Ms Dixon’s office into Facebook and other sites it controls so it is not possible from such accounts to determine the company’s provision for that case.