Instaworthy data protection fine

13 September 2022
by Era Gunning

On 5 September 2022, the Irish Data Protection Commissioner (“DPC”) fined Meta-owned social media platform Instagram EUR405 million for violations of the EU General Data Protection Regulation (“GDPR”) in respect of children’s privacy, including its publication of kids’ email addresses and phone numbers.

The fine, currently the highest for a Meta-owned company —follows a EUR225 million fine for WhatsApp and EUR17 million for Facebook. The Instagram fine  is the second-highest fine under the GDPR after a EUR746 million penalty against the e-commerce giant Amazon.

The DPC investigation looked at Instagram’s processing of children’s data for business accounts and on its user registration system which the DPC found could lead to the accounts of child users being set to “public” by default, unless the user changed the account settings to “private.”

According to a Meta spokesperson, the investigation by the DPC focused on old settings that were updated over a year ago, and it has since released several new features to help keep children safe and their information private. Anyone under 18 now automatically has their account set to private when they join Instagram. That means only people they know can see what they post, and adults cannot message children who do not follow them. According to the spokesperson, Meta engaged fully with the DPC throughout its inquiry, and is reviewing its final decision.

The GDPR, among other things, regulates the processing of children’s personal data and includes measures requiring privacy by design and default, transparency and accountability principles (including an obligation to provide clear communications that children can understand).

Back home, the South African Protection of Personal Information Act, 2013 (“POPIA”) also stringently regulates the processing of personal information of children. Organisations are – as a general rule – prohibited from processing such information. However, the prohibition does not apply if the processing (among other things) is carried out with the prior consent of a parent or guardian or necessary for the establishment, exercise or defence of a right or obligation in law.

In addition, the Information Regulator may, upon application and by notice in the Government Gazette, authorise a person to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child. The Information Regulator may also impose reasonable conditions in respect of any such authorisation granted.

ENSafrica’s Era Gunning and Ridwaan Boda will soon be hosting a comprehensive POPIA training course, including what to be mindful of when using the information of children. For more information contact Era Gunning

Era Gunning
Executive | Banking and Finance

Read more: