This is the largest fine ever imposed by the Irish Data Protection Commission. Last year, it had already ended WhatsApp, also owned by Meta, €225 million for data protection violations.
The scope of the Instagram investigation involved two types of processing by Facebook Ireland Limited:
The first allowed child users between the ages of 13 and 17 to operate business accounts on the Instagram platform. The DPC states that at times, the operation of these accounts required and/or facilitated the publication of the child user’s phone number and email address.
The second type of processing investigated was the operation of a user registration system for the Instagram service. In this one, child users’ accounts were set to « public » by default, making the child users’ social media content public unless the account was set to « private » by changing the account’s privacy settings.
Caroline Carruthers, owner of a data consulting firm in the United Kingdom, said that Instagram had not thought through its privacy responsibilities in letting teens create professional accounts and had shown a « clear lack of care » in user privacy settings.
While Instagram is now in the crosshairs, the company is not the only one under investigation by the CPD. TikTok will certainly be watching closely as the company is also the target of the CPD over its own handling of children’s data. However, since the investigation is recent, it is highly likely that a decision will not be made for some time.