The fine issued by Ireland’s Data Protection Commission is substantial, but it is not the highest penalty levied under GDPR.
The Irish data watchdog has today (15 September) officially announced its decision regarding its inquiry into Instagram.
Earlier in the month, it was revealed that the Data Protection Commission (DPC) was to impose a fine of €405m on the Meta-owned platform for breaching GDPR.
The data watchdog said its investigation concerned the processing of personal data related to minors and their privacy, with children’s email addresses and phone numbers being made public in some cases.
While this is the DPC’s biggest fine yet, it is not the highest ever in the history of GDPR. Statista has compiled a list of the top fines (converted into dollars) issued to companies under the EU data protection regulations.
Last July, Luxembourg’s data watchdog issued a fine of €746m to Amazon for “non-compliance with general data processing principles”. This is the largest fine that has been levied under GDPR since the rules were introduced in 2018.
The DPC’s €405m penalty for Instagram now comes in second place. Third place goes to WhatsApp, another Meta-owned company, which was fined €225m by the DPC last year.
Google appears three times in the list of the eight highest fines, alongside Facebook and Swedish fashion company H&M.
The DPC began its investigation into Instagram in September 2020. It said it had identified issues around Instagram’s user registration process, but its inquiry began in response to info from US data scientist David Stier.
The subsequent inquiry examined a number of issues. This included the public disclosure of email addresses and phone numbers of children using the Instagram business account feature, and the public-by-default setting for personal Instagram accounts of children.
Following its investigation, the DPC submitted a draft decision to peer regulators in the EU. Six of these national regulators raised objections to the draft decision, and the DPC was unable to reach consensus with other regulators on the objections. It referred the case to the European Data Protection Board (EDPB).
The EDPB adopted its binding decision on the case in July, rejecting a considerable quantity of the objections. However, it upheld objections requiring the DPC to amend its draft decision to include the finding of infringement of a GDPR article referring to lawful processing of data, and to reassess its proposed fines.
The DPC incorporated these amendments, before adopting its decision on 2 September.
The DPC’s original draft decision had recommended a fine of up to €405m. Taking into account the EDPB’s decision, the fine imposed on Instagram now totals €405m, including a fine of €20m for the infringement of Article 6(1).
In addition to these administrative fines, the DPC has also imposed an order requiring Meta to bring its processing into compliance by taking a range of specified remedial actions.
In response, Meta said it disagrees with how the fine was calculated and intends to appeal it. The company is also reviewing the rest of the DPC’s decision.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson said.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them.”
Updated, 2.45pm, 16 September 2022: This article was updated to include a statement from Meta.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.