What’s the news: Ireland’s Data Protection Commission’s (DPC) decision to levy a fine of €405 million on Meta Platforms Ireland Ltd and its Instagram platform caused quite the stir this month. The regulator investigated the platform’s processing of child users’ data and found that the company had failed to protect the rights of the children.
Accordingly, the DPC levied 10 fines on the platform as per various provisions of the European Union’s General Data Protection Regulation (GDPR) and ordered Meta to “bring its processing into compliance with the GDPR.” With this, Meta’s Instagram platform now records the second-largest fine under the bloc’s privacy law after Amazon’s fine of €746 million.
The investigation began after a US-based researcher David Stier alleged that over 60 million children could change their personal accounts into business accounts, exposing their personal information such as phone number and email address.
The DPC’s own research found that newly registered Instagram accounts are set to “public” by default, unless the user changes the account setting to “private.” Children could switch from personal to business accounts after mandatorily displaying an email address or phone number associated with the business.
Recently, the DPC released a detailed document on its decision wherein the Assistant Commissioner noted the relevance of ‘Recital 38 to the GDPR’ to the above-mentioned processing. It said:
“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.”
MediaNama went through the document that further provided reasons for each fine imposed on the platform.
Why it matters: Social media platforms are privy to a lot of child user / teenager data, who cannot be expected to fully understand the consequences of sharing such information. The exposure of a child’s sensitive data can be dangerous and violate their right to privacy. While looking at the collective fine of €405 million it is equally important to understand the DPC’s logic in issuing these 10 fines. For India that is still working on its data and privacy protection laws, it is important to observe how regulators in other countries are assessing companies’ alleged violations of child data protection laws.
Instagram failed to ensure complete transparency with child users
Following investigations, the DPC found that Meta had failed to comply with Article 12(1) of the GDPR that specifically directs the “controller” to provide information “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” when addressing a child. According to the DPC, it recognises that child users may not be aware of the risks and consequences of a default public account
“Therefore, a high standard of transparency is required of FB-I [Facebook Ireland Ltd] when explaining the public-by-default purpose of processing social media content on Instagram,” said the DPC’s decision.
As such, it concluded that the company had failed to convey the information concerning the default processing purpose in a clear or transparent form. The Commission also noted that explicit information for this was limited to Help Centre webpages and ancillary materials that required multiple navigation steps.
“The lack of clear indicative or summary information on this purpose of processing had the effect that the registration process and Data Policy failed to refer child users to more complete sources of information,” said Helen Dixon, Commissioner for Data Protection and decision-maker for the DPC.
For these reasons, the DPC issued two fines of €100 million and €70 million for violating Article 12(1) of the GDPR prior to September 4, 2019. In addition to this, the DPC noted that the language used by the platform did not clarify the purposes of processing or the categories of recipients of personal data as required under Article 13 of the GDPR.
No Data Protection Impact Assessment
As per Article 35(1) of the GDPR, controllers must prepare a Data Protection Impact Assessment for processing that can prove a high risk to people’s rights and freedoms. While the DPC said that the processing in question did prove a risk to child users, it said that the company had not conducted such an assessment.
“This finding does not relate to the modified Instagram registration process for child users, which was notified to the DPC by Facebook Ireland Limited in 2021,” said the DPC.
The company had changed the processing of data in July 2019 and September 2019 to create alternative forms of professional accounts and to opt-out of providing contact information for a business account. However, the DPC said that this did not adequately mitigate the risks for child users in connection with the processing. Accordingly, it said that the contact information processing both before September 2019 and after endangered the rights and freedoms of child users.
The DPC issued a combined fine of €90 million for violating Article 35 of the GDPR.
Data processing violated principle of data minimisation
Prior to March 7, 2019, the company published email addresses / phone numbers of child users on Instagram in the HTML source code of certain Instagram profile webpages. As per Article 5(1)(c) of the GDPR, personal data should be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” The DPC found that the processing by the company was not limited to “what was necessary in relation to the purposes for which FB-I processed this specific information.”
“I find that Facebook Ireland Limited did not comply with the principle of data minimisation as set out in Article 5(1)(c) GDPR,” said the DPC.
Further, it said that prior to the aforementioned date, Facebook Ireland Limited had failed to implement appropriate technical and organisational measures against the HTML publication of contact information. The company processed data to a “global extent” without ensuring that the contact information of child users was inaccessible without the individual’s intervention. As such, the regulator said that the processing further violated the principle of data protection by default under Article 25(2) of the GDPR as well.
“This processing resulted in the global dissemination of personal data of child users who had business accounts on Instagram, without the ability to opt-out of publication,” said the DPC and issued a fine of €25 million.
Another finding showed that when the inquiry started, Facebook Ireland Limited had implemented a default Instagram account setting for child users that allowed anyone on or off Instagram to view a child user’s social media content. This attracted an additional fine of €25 million.
Further investigation also showed that the company also had failed to implement appropriate technical and organisational measures under Article 25(1) of the GDPR that takes into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.”
It said that the company should have implemented data-protection principles in an effective manner and integrated necessary safeguards into the processing to meet the requirements of the GDPR and protect the rights of child users. This called for another combined fee of €50 million.
Absence of appropriate prompt to users
The DPC noted that while Facebook Ireland Ltd had made the Help Centre and blog post accessible to users after a delay, existing business account users may not have noticed this update “in the absence of an appropriate prompt by the controller.” The regulator said that the company had the technical means required to notify existing business account users of the change prior to September 2019, but failed to do so.
“I find that Facebook Ireland Limited did not adequately inform those child users who switched to a business account prior to 4 September 2019 of the removal (after 4 September 2019) of the requirement to publish their contact information on Instagram business profiles,” said Dixon.
Accordingly, she said that processing of contact information of child users who switched to a business account was not fair or transparent and contrary to Article 5(1)(a) of the GDPR. She issued a fine of €25 million.
No legal basis for processing
Under Article 6 of the GDPR, processing shall be lawful if “b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Another clause states that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Facebook Ireland used these clauses to argue a legal basis for its processing. However, the EDPB said that Meta could not rely on Article 6(1)(f) for the contact information processing since “the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test.” Similarly, the DPC said Meta could not cite Article 6(1)(b) because it required “greater specificity of purpose” in the context of those provisions.
As such, the Commission found that the company had in fact infringed the Article and issued a fine of €20 million.
Also Read:
- Facebook’s New Smart Glasses Are Making Some EU Regulators Nervous
- TikTok’s Handling Of Children’s Data Invites Scrutiny From EU Regulators
- EU Regulators Fine WhatsApp For Not Being Transparent Enough With Users
- Irish Data Protection Commission Fines Twitter 450,000 Euros For Protected Tweet Vulnerability
