With decision of 2nd September 2022, the Irish Data Protection Authority inflicted a fine of Euro 405 billion to Meta Platforms Ireland Limited (Instagram) for GDPR infringement, imposing a series of corrective measures to adequately protect the privacy of minors.
The decision was issued at the end of a thorough investigation started in 2020 with regards to signing-in procedures of minors on the famous social network.
In particular, the Irish DPA could ascertain that minors were allowed to set-up their own account as business and to switch from a personal account to a business one. In doing so, however, some personal data, such as the email address or the phone number were made public. The preset public setting of minors’ accounts, which was applied as the default setting, was also examined by the Authority.
At the end of the investigation, the Irish DPA submitted its own conclusions to all the equal European regulatory authorities (concerned supervisory authority), pursuant to art. 60 of the GDPR. However, in light of the objections raised by the six national Authorities, it was necessary to request the binding opinion of the European Data Protection Board (EPDB).
On the 28th July 2022, the EDPB issued its own binding decision, rejecting a consistent part of the objections raised by the national authorities but accepting the objections which asked the Irish DPA for the ascertainment of the infringement by Instagram of art. 6, paragraph 1 of the GDPR, relating to the lawful conditions of the personal data processing.
Therefore, considering the binding opinion of the EDPB, the Irish DPA sanctioned Meta for having infringed, among other, the principles of lawfulness, fairness, transparency and minimization of the processing of data (art. 5 of the GDPR) and for failing to provide a sufficiently clear and comprehensible policy to minors (art. 12 of the GDPR).
Beside the administrative penalty, Meta was ordered to implement a series of corrective actions in order to comply with the GDPR.
Meta already announced that it will appeal against the decision. The American giant in fact highlighted that it modified the setting and the signing-up procedures of the minor users months ago, precisely to improve the platform security. The decision of the DPA therefore could concern settings no longer in force.
Ilaria Feriti