Instagram Fined €405 Million For Teenager Data Violation

Meta-owned Instagram has been handed a very stiff penalty by the Irish data protection watchdog, the Data Protection Commission (DPC).

The Guardian reported that the huge penalty follows investigation into an Instagram setting, that allowed teenagers to set up accounts that displayed their contact details including phone numbers, email addresses.

It comes after Instagram last month refuted a claim circulating widely online that the “precise location” feature on iOS and Android devices could share a user’s exact location with other Instagram users.

Instagram fine

That company denial came in response to social media posts that began circulating widely, which urged users to turn of the precise location feature and claimed that criminals were using the feature to target people.

Now according to the Guardian, the Irish Data Protection Commission said the penalty comes after a two-year investigation into potential breaches of the European Union’s general data protection regulation (GDPR).

Instagram had reportedly allowed users aged between 13 and 17 to operate business accounts on the platform, which showed the users’ phone numbers and email addresses.

The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.

It should be noted that the Irish DPC is responsible for regulating Meta on behalf of the entire European Union, due to the fact that the company’s European headquarters are located in Ireland.

The penalty is the highest imposed on Meta by the watchdog, after a €225m fine imposed in September 2021 for “severe” and “serious” infringements of GDPR at WhatsApp.

The Irish regulator also imposed an additional €17m fine in March this year.

“We adopted our final decision last Friday and it does contain a fine of €405m. Full details of the decision will be published next week,” a DPC spokesperson was quoted by the Guardian newspaper as saying.

Meta appeal

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson was quoted by the Guardian as saying.

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it,” the spokesperson added.

“We’re continuing to carefully review the rest of the decision,” it added.

Data integrity

Dan Middleton, VP UK & Ireland at backup, recovery and data management specialist Veeam, said the case shows that that businesses must place data integrity, security and resilience at the heart of their operations.

“The news that Ireland’s Data Protection Commission has issued the second largest GDPR fine in history – €405m – drives home the critical importance of adopting strict data management and protection measures,” said Middleton.

“While it is by no means unique in this situation, the photo sharing platform involved has changed its approach to data protection since the issues that led to the fine took place,” said Middleton. “However, this case demonstrates that past data management decisions have implications not just for the time at which they are made, but into the future. Decision makers need to be aware of any consequential issues that can arise when it comes to protecting and managing users’ data.”

“Businesses must place data integrity, security and resilience at the heart of their operations to severely reduce, if not avert, the risk of their own and their end users’ data being exposed to unwelcome consequences,” said Middleton. “Not only will this prevent hefty fines, such as those issued by the DPC, but it will ensure that their reputation doesn’t suffer as a result of a management error or data protection oversight. “

“When companies are entrusted with their customers’ sensitive data, there are no measures that go too far,” cautioned Middleton. “They must be aware that they are custodians of any data they collect, process and use, and it is therefore their responsibility to ensure that this data is protected.”

“This needs to go beyond a simple box ticking exercise to ensure GDPR compliance, and instead a business-wide culture of transparency and responsibility must be adopted,” Middleton concluded. “When it comes to data protection, this should include a full business continuity strategy, that includes resilience measures, including secure, immutable backups and disaster recovery solutions that can be drawn upon if data is maliciously accessed.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Says Tech Giants Should Fund Rural Broadband

AT&T chief says biggest tech companies should be forced to contribute to troubled fund for…

2 hours ago

Recording Labels Sue Start-Ups Over AI-Generated Music

World's biggest music groups sue two AI start-ups over auto-generated songs they say are trained…

3 hours ago

White House Says Microsoft’s G42 AI Deal ‘Positive’ As It Ousted Huawei

White House says Microsoft's $1.5bn investment in AI company G42 was 'positive' because it forced…

3 hours ago

China Memory Chip Maker YMTC Sues Tech Consultancy For Libel

Chinese memory chip maker YMTC sues Danish tech consultancy Strand Consult for libel in California…

4 hours ago

EU, China Agree To Talks Over Planned EV Tariffs

EU, China hold talks and agree to further negotiations as bloc plans tariffs up to…

4 hours ago

Workers Killed In Fire At South Korean Battery Plant

At least 22 workers killed in fire at lithium battery plant near Seoul after chain…

18 hours ago