Instagram received a €405 million fine for GDPR (The General Data Protection Regulation). breach of children's data. It all started with the opening of an investigation in 2020. The investigation focused on users between the ages of 13 and 17, who had the possibility to manage business accounts. This facilitated the publication of the phone numbers and email addresses of the users. The conclusion was that Instagram violated the GDPR.
At the EU level, the Irish Data Protection Commission supervises several tech giants, including Apple, Google, and Meta. The tech company Meta owns Instagram, and this fine is the second-largest, after the €746 million fine that Amazon was imposed with.
The fine, which targets Instagram's violation of children's privacy, is currently the biggest for a company owned by Meta, coming after a €225 million fine for WhatsApp and a €17 million fine for Facebook.
Instagram claims that during the investigation, the company worked cooperatively with the Irish DPA. However, the social media platform disagrees with how the DPA determined the fine. According to Instagram, the investigation focused on outdated settings that the tech company modified more than a year ago. Since then, Meta has adopted a lot of new features to support teen safety.
How to avoid the fine for a GDPR breach of children's data?
For the processing of children's personal data, adherence to data protection standards and, in particular, fairness, should be mandatory. Before processing a child's personal information, you must establish a legal basis. Although consent is one ground that could be used, it is not the only one. Sometimes selecting a different legal basis is preferable and provides better protection for child's data.
If you provide a service directly to children and depend on consent as the legal basis for processing personal data, you should confirm that the person providing the consent is of legal age to do so. Unless the service you provide is an online preventative or counseling service, you must get the approval of individuals who have parental control over children under the age of 16.
Make sure the person granting consent genuinely has parental responsibility for the child as well. In most circumstances, if this would have a legal or comparable substantial effect on children, you should not make choices regarding them based purely on automated processing. The GDPR places restrictions on when you can make these choices. It only applies if you have taken the necessary precautions to safeguard the child's interests.
If you need assistance or have any questions, don't hesitate to get in touch with Sovy team!
Last updated: September 9, 2022