RISK

NEWS

Meta fined €405m over handling of data

14 Sept 2022

The owner of Instagram, Facebook and Whatsapp, Meta, has been fined €405m (£349m) by the Irish data watchdog, the DPC, for allowing teenagers to set up accounts that publicly displayed their phone numbers and email addresses.

The Data Protection Commission confirmed the penalty after a two-year investigation into potential breaches of the European Union’s GDPR. The GDPR sets out seven key principles that place certain requirements on the way personal data is managed. They are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, which showed the users’ phone numbers and email addresses. The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.

The DPC regulates Meta on behalf of the entire EU because the company’s European headquarters are in Ireland. The penalty is the highest imposed on Meta by the watchdog, after a €225m fine imposed in September 2021 for “severe” and “serious” infringements of GDPR on its WhatsApp platform and a €17m fine in March 2022. The fine is the second largest under GDPR, after the €746m levied on Amazon in July 2021.

A DPC spokesperson said:

“We adopted our final decision last Friday and it does contain a fine of €405m. Full details of the decision will be published next week.”

Instagram has said that, prior to September 2019, it had put user contact details on business accounts and had informed users during the setup process. Under-18s now have their account set to private automatically when they join the platform.

Andy Burrows, head of child safety online policy at NSPCC, said:

“This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”

A Meta spokesperson said:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it. We’re continuing to carefully review the rest of the decision.”

Last year Meta suspended work on a version of Instagram for children following revelations about the app’s impact on teen mental health. Instagram said it was “pausing” work to address concerns raised by parents, experts and regulators.