Instagram Fined €405 Million For Teenager Data Violation

Meta-owned Instagram has been handed a very stiff penalty by the Irish data protection watchdog, the Data Protection Commission (DPC).

The Guardian reported that the huge penalty follows investigation into an Instagram setting, that allowed teenagers to set up accounts that displayed their contact details including phone numbers, email addresses.

It comes after Instagram last month refuted a claim circulating widely online that the “precise location” feature on iOS and Android devices could share a user’s exact location with other Instagram users.

Instagram fine

That company denial came in response to social media posts that began circulating widely, which urged users to turn of the precise location feature and claimed that criminals were using the feature to target people.

Now according to the Guardian, the Irish Data Protection Commission said the penalty comes after a two-year investigation into potential breaches of the European Union’s general data protection regulation (GDPR).

Instagram had reportedly allowed users aged between 13 and 17 to operate business accounts on the platform, which showed the users’ phone numbers and email addresses.

The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.

It should be noted that the Irish DPC is responsible for regulating Meta on behalf of the entire European Union, due to the fact that the company’s European headquarters are located in Ireland.

The penalty is the highest imposed on Meta by the watchdog, after a €225m fine imposed in September 2021 for “severe” and “serious” infringements of GDPR at WhatsApp.

The Irish regulator also imposed an additional €17m fine in March this year.

“We adopted our final decision last Friday and it does contain a fine of €405m. Full details of the decision will be published next week,” a DPC spokesperson was quoted by the Guardian newspaper as saying.

Meta appeal

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson was quoted by the Guardian as saying.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it,” the spokesperson added.

“We’re continuing to carefully review the rest of the decision,” it added.

Data integrity

Dan Middleton, VP UK & Ireland at backup, recovery and data management specialist Veeam, said the case shows that that businesses must place data integrity, security and resilience at the heart of their operations.

“The news that Ireland’s Data Protection Commission has issued the second largest GDPR fine in history – €405m – drives home the critical importance of adopting strict data management and protection measures,” said Middleton.

“While it is by no means unique in this situation, the photo sharing platform involved has changed its approach to data protection since the issues that led to the fine took place,” said Middleton. “However, this case demonstrates that past data management decisions have implications not just for the time at which they are made, but into the future. Decision makers need to be aware of any consequential issues that can arise when it comes to protecting and managing users’ data.”

“Businesses must place data integrity, security and resilience at the heart of their operations to severely reduce, if not avert, the risk of their own and their end users’ data being exposed to unwelcome consequences,” said Middleton. “Not only will this prevent hefty fines, such as those issued by the DPC, but it will ensure that their reputation doesn’t suffer as a result of a management error or data protection oversight. “

“When companies are entrusted with their customers’ sensitive data, there are no measures that go too far,” cautioned Middleton. “They must be aware that they are custodians of any data they collect, process and use, and it is therefore their responsibility to ensure that this data is protected.”

“This needs to go beyond a simple box ticking exercise to ensure GDPR compliance, and instead a business-wide culture of transparency and responsibility must be adopted,” Middleton concluded. “When it comes to data protection, this should include a full business continuity strategy, that includes resilience measures, including secure, immutable backups and disaster recovery solutions that can be drawn upon if data is maliciously accessed.”