Irish Data Protection Commissioner fines Instagram €405m

Ireland’s data regulator has imposed a record €405 million fine on Facebook owner Meta for violating children’s privacy on its Instagram service.

The breaches affected potentially millions of teenage users of Instagram as mobile phone numbers and email addresses were published automatically under default settings on the app’s “business account” service.

The penalty is the biggest handed down by the Data Protection Commissioner Helen Dixon since she assumed sweeping powers in 2018 to supervise the pan-European operations of technology companies such as Meta that have their EU headquarters in Dublin.

“We adopted our final decision last Friday and it does contain a fine of €405 million. Full details of the decision will publish next week,” Ms Dixon’s office said in response to questions.

Meta signalled it would appeal the fine, saying it disagreed with how the penalty was calculated. It said it “engaged fully” with the regulator throughout the investigation. The default settings had since been changed, it said.

The two-year inquiry into Instagram under the EU’s General Data Protection Regulation is one of several investigations by the Irish regulator’s office into Meta companies.

After a €225 million fine last year on Meta’s WhatsApp unit, the Instagram fine brings total penalties against the company in two years to €628 million.

Although the GDPR has been cast as a game-changer in the drive to control how big business uses consumers’ personal information, Ms Dixon has faced criticism from privacy campaigners for the slow pace at which inquiries into social media companies have been carried out by her office. She has always rejected such complaints, accusing critics of “superficial skimming of the surface” and “exaggeration”.

The Irish regulator’s counterparts in Finland, France, Germany, Italy, the Netherlands and Norway had objected to her original proposals to penalise Instagram, prompting a dispute resolution process at the Brussels-based European Data Protection Board (EDPB) which was settled in July. The board co-ordinates the work of national and regional data regulators in the EU and a handful of countries outside the union.

The Instagram case centred on concern about “business accounts” operated by child users of the Instagram service who were aged 13-17. Such accounts were found at certain times to require or facilitate publication to the world at large of the child user’s phone number or email address or both phone and email.

The service was also found to have operated a user registration system in which settings for child users were set to “public” by default, making public their social media content unless the account was otherwise set to “private” by changing the account settings.

Meta said it continued to review the regulator’s decision on Instagram. “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” the company said.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.”

In the WhatsApp case, Ms Dixon had originally proposed a fine of €30 million-€50 million. Eight data regulators in EU countries rejected her proposed fine, leading to a dispute resolution process at the EDPB, which oversees the GDPR. The board directed Ms Dixon to increase the penalty.

Asked on Monday about the Instagram penalty, the European Data Protection Board said it was “not in a position to comment at this stage”.