Finger tapping Instagram icon on black mobile phone screen showing GDPR fine for privacy settings

€405 Million GDPR Fine for Instagram Over Privacy Settings for Underage Users

The world’s most popular photo sharing app is facing a hefty General Data Protection Regulation (GDPR) fine for its handling of the accounts of underage users. Instagram’s default settings made the contact information of users between the age of 13 and 17 public, including email addresses and phone numbers.

Unusual large GDPR fine for a Meta company from Irish DPC

The €405 million GDPR fine was issued by Ireland’s Data Protection Commission (DPC), the body that generally investigates complaints against big tech platforms. The penalty is unusual not just in the amount, which makes it the second largest individual GDPR fine issued to date, but also in the willingness of the privacy watchdog to take action against a Meta-owned company. Critics of the Irish agency note that the investigation nevertheless took two years to complete, despite the details of the case being a fairly straightforward matter of general observation.

While Instagram generally restricts the profiles of its users under the age of 17, users between 13 and 17 were previously able to open business accounts that displayed their contact information to the general public by default. The user would have had to proactively change privacy settings to hide this information. This was the case until September 2019, when the platform set all accounts to private automatically if the user’s age is under 18. This prevents adults from messaging these users unless the user is following them.

Underage Instagram users were opting to ignore privacy settings and work around them by opening business accounts largely because it gives them more detailed feedback about who is engaging with their posts; the ability to view information about “likes” has been limited in some areas over concerns about negative impact on mental health.

The lengthy investigation required the use of a dispute resolution mechanism in place for when member states cannot agree on the amount of GDPR fines. More details about this are forthcoming next week when the Irish DPC releases its statement on its reasoning behind the fine amount, but this would not be the first time that other EU members pushed for larger fines on a big tech firm that Ireland was not willing to levy. This resolution process has added months to the conclusion of investigations in certain other cases, most notably the €225 million fine of WhatsApp (now the third-largest GDPR fine in history) issued roughly a year ago.

Meta has the right to appeal the GDPR fine if it chooses, and has issued a statement indicating that it is reviewing the final decision and that it has made upgrades to its privacy settings in the past year.

Privacy settings, practices under examination in other cases

Though the Irish DPC has proven slow to take action against Meta, and generally unwilling to assess large fines, there are no shortage of investigations involving the company that remain ongoing. Most of these involve Facebook. There are six other ongoing investigations into Meta’s portfolio of companies, some of which date back to near the inception of the GDPR rules.

Privacy settings have been a repeated issue for Meta across its different companies, with cookie settings and navigation of options coming up as a repeated focus of complaints.

The Irish DPC has previously taken action against Twitter over privacy settings, though that case was more of a software bug than an oversight specifically impacting minors. The “protected Tweets” feature was not actually working properly through the Android app version of the service from 2014 to 2019, allowing for the public to read tweets that were intended only for followers. Twitter was taken to task more for its failure to disclose in a timely manner (failing to contact appropriate authorities within 72 hours as required) than it was for the nature of the information that was disclosed, ultimately receiving a fine of €450,000. Though this case also appeared to be fairly straightforward, it was held up for two years and saw EU members go back and forth over the size of the GDPR fine.

Among other issues, the Irish DPC is currently investigating Facebook for a breach reported in 2021 that saw over 530 million user records leaked due to a platform flaw that was present until 2019. The records appeared on an underground hacker forum in 2021, apparently dumped there after losing any resale value in criminal circles. Meta has faced more difficulty from France’s CNIL, the country’s data protection watchdog, which has been faster to move against it when circumstances allow it to circumvent the usual collaborative GDPR fine process. A recent example of this also involved privacy settings, with CNIL fining Facebook €60 million in early 2022 for failing to make it easy enough for users to navigate cookie settings and reject cookies when desired.