DATA PROTECTION
EDPB and the Irish Data Protection Authority fines Instagram for Euro 405 million.
The Data Protection Commission (DPC) has today announced a conclusion to an inquiry into Meta Platforms Ireland Limited (Instagram) imposing a fine of €405 million and a range of corrective measures.
The inquiry concerned the processing of personal data relating to child users of the Instagram social networking service. It was initiated by the DPC on 21 September 2020 in response to information provided by David Stier (a US data scientist), and also in connection with issues identified by the DPC itself, following examination of the Instagram user registration process. The inquiry examined, in particular, the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.
Following a comprehensive investigation, the DPC submitted a draft decision to all peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), under Article 60 of the GDPR in December 2021. Six of these national regulators raised objections to the DPC’s draft decision. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.
On 28 July 2022, the EDPB adopted its binding decision, which rejected a considerable quantity of the objections but upheld objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fines on the basis of this additional infringement. Having incorporated these amendments, the DPC’s decision was adopted on 2 September, 2022. The decision records findings of infringement of Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2) and 35(1) of the GDPR.
The DPC’s original draft decision had recommended a fine of up to €405 million and, having taken account of the EDPB’s binding decision, the fine imposed on Meta Platforms Ireland Limited (Instagram) totals €405 million, including a fine of €20 million for the infringement of Article 6(1).
In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.
The LSA’s final decision follows an own-volition inquiry into Instagram’s public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children, during the period falling within the temporal scope of the inquiry. A practice which has since ended as a consequence of the LSA’s inquiry. EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”
The EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority (LSA) had triggered the dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decision following the dispute resolution process.
This is the first binding decision of the EDPB addressing one of the fundamental pillars of EU data protection law: the lawfulness of processing in accordance with Art. 6 GDPR. In particular, the EDPB provided further clarification on the applicability of the legal bases of ‘performance of contract’ and ‘legitimate interest’.
Meta IE relied on these two legal bases alternatively for the publication of email addresses and/or phone numbers of children who used Instagram business accounts. The EDPB found that there were no grounds for the LSA to conclude that the processing at stake was necessary for the performance of a contract. Consequently, Meta IE could not have relied on Art. 6(1)(b) GDPR as a legal basis for this processing.
As regards legitimate interest, as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest.
The EDPB therefore concluded that Meta IE processed children’s personal data unlawfully without a legal basis and instructed the LSA to amend its draft decision in order to establish the infringement of Art. 6(1) GDPR.
Finally, the EDPB instructed the LSA to reassess its envisaged administrative fine in accordance with Art. 83(1) and 83(2) GDPR to:
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
The final decision taken by the Irish DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ
The inquiry concerned the processing of personal data relating to child users of the Instagram social networking service. It was initiated by the DPC on 21 September 2020 in response to information provided by David Stier (a US data scientist), and also in connection with issues identified by the DPC itself, following examination of the Instagram user registration process. The inquiry examined, in particular, the public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.
Following a comprehensive investigation, the DPC submitted a draft decision to all peer regulators in the EU, also known as Concerned Supervisory Authorities (“CSAs”), under Article 60 of the GDPR in December 2021. Six of these national regulators raised objections to the DPC’s draft decision. The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and it therefore referred the case to the European Data Protection Board (“EDPB”), in line with the Article 65 dispute resolution process of the GDPR.
On 28 July 2022, the EDPB adopted its binding decision, which rejected a considerable quantity of the objections but upheld objections requiring the DPC to amend its draft decision to include a finding of infringement of Article 6(1) GDPR and to reassess its proposed administrative fines on the basis of this additional infringement. Having incorporated these amendments, the DPC’s decision was adopted on 2 September, 2022. The decision records findings of infringement of Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2) and 35(1) of the GDPR.
The DPC’s original draft decision had recommended a fine of up to €405 million and, having taken account of the EDPB’s binding decision, the fine imposed on Meta Platforms Ireland Limited (Instagram) totals €405 million, including a fine of €20 million for the infringement of Article 6(1).
In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified remedial actions.
The LSA’s final decision follows an own-volition inquiry into Instagram’s public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children, during the period falling within the temporal scope of the inquiry. A practice which has since ended as a consequence of the LSA’s inquiry. EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine - this is the second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”
The EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority (LSA) had triggered the dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decision following the dispute resolution process.
This is the first binding decision of the EDPB addressing one of the fundamental pillars of EU data protection law: the lawfulness of processing in accordance with Art. 6 GDPR. In particular, the EDPB provided further clarification on the applicability of the legal bases of ‘performance of contract’ and ‘legitimate interest’.
Meta IE relied on these two legal bases alternatively for the publication of email addresses and/or phone numbers of children who used Instagram business accounts. The EDPB found that there were no grounds for the LSA to conclude that the processing at stake was necessary for the performance of a contract. Consequently, Meta IE could not have relied on Art. 6(1)(b) GDPR as a legal basis for this processing.
As regards legitimate interest, as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest.
The EDPB therefore concluded that Meta IE processed children’s personal data unlawfully without a legal basis and instructed the LSA to amend its draft decision in order to establish the infringement of Art. 6(1) GDPR.
Finally, the EDPB instructed the LSA to reassess its envisaged administrative fine in accordance with Art. 83(1) and 83(2) GDPR to:
- impose an effective, proportionate and dissuasive administrative fine for the additional infringement, taking into consideration the nature and gravity of the infringement, as well as the number of data subjects affected;
- ensure that the final amounts of the administrative fines are effective, proportionate and dissuasive.
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
The final decision taken by the Irish DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ
