Cordery

Legal.Compliance.

Client Alert: Ireland Fines Meta €405 million for Instagram Data Protection Infringements

We first produced this alert on 15 September 2022 and have updated it to look at Meta’s appeal.

Introduction

Ireland’s Data Protection Commissioner (DPC) has fined Meta Platforms Ireland Limited €405 million for data protection infringements.  It has also ordered it to put in place a range of corrective measures.

Meta operates Instagram and Meta Platforms, Inc. was formerly known as Facebook, Inc. and is also the parent company of other social media platforms including Facebook and WhatsApp.

The fine is the second highest fine under GDPR to date behind Luxembourg’s €746 million fine for Amazon in August 2021 (details here https://www.corderycompliance.com/amazon-fine-lux-cnpd/).

There are some technical terms and abbreviations in this alert which are explained at www.bit.ly/gdprwords.

What is this about?

The DPC’s investigation looked into the processing of the personal data of users of Instagram aged 13 to 17.  The DPC started its investigation in September 2020 after a tip-off from an American data scientist who had looked at the Instagram sign-up process.

The DPC was concerned about the amount of data which could be accessed particularly since the default settings were that data would be shared.  GDPR contains an obligation for data protection by design and data protection by default.  Instagram had already made changes by the time of the investigation to set sign-up data to private by default.

It is important to remember that this case is just another sign of the increased enforcement of GDPR.  There have been just under 1,600 publicly announced GDPR fines to date with a value of around €1.8bn.  This also isn’t the first big fine for Meta.  In September 2021 the DPC fined WhatsApp €225 million relating to WhatsApp’s transparency obligations.  There’s more on that fine here https://www.corderycompliance.com/whatsapp-fined-by-irish-dpa/.

How was the fine set?

This was another case where the fine was set using the EU GDPR co-operation mechanism.  Essentially the DPC took the lead on behalf of affected EU DPAs and submitted a draft decision.  Six national DPAs disagreed with the draft decision and the EDPB dispute resolution process was engaged. In this case the EDPB process did result in some changes to the draft decision but not to the proposed fine of €405 million.

Is it just a fine?

No.  It’s increasingly common in GDPR cases for regulators to impose a fine and to order the organisation involved to put remedial measures in place too.  In addition to these administrative fines, the DPC has also imposed a reprimand and an order requiring Meta to bring its processing into compliance by taking a range of specified remedial actions.

What did the EDPB say?

EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine – this is the second highest fine since the entry into application of the GDPR – it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

What happens next?

Meta has appealed against the fine.  Meta has also appealed against DPC actions in the past.  As we’ve said previously so far there is a fairly high win rate for appeals under GDPR.

The appeal was lodged in the High Court in Ireland on 29 September 2022.

There’s a general trend however to higher fines and we’ve seen other cases where the DPAs in different countries have been pressing for higher fine levels, in some cases higher than any fine that that DPA has itself imposed.  We can expect the general level of fines to increase as pressure from those DPA increases.

This may well not be the last fine for Meta.  The DPC is also investigating a data breach allegedly affecting more than 530 million users.  At the end of September the DPC sent its draft findings to other EU DPAs for comments which may trigger a repeat of this process.  Given Meta’s turnover this may well lead to another large fine.

Another case which might be worth watching will be another DPC led investigation into another social media platform, TikTok.  Again the focus of that investigation is on the by default settings for users aged under 18 and the DPC said that it had started the EDPB process for that case on 13 September.  It may be that this will lead to another large fine.

Practical tips – what can you do?

The case is especially relevant for anyone handling children’s data but there are wider implications too including:

  1. Proper planning is key – here Meta did not look carefully enough at its default settings. Undertaking a proper Data Protection Assessment (DPIA) prior to starting up may have identified and reduced those risks.
  2. Having a lawful basis for processing is important. This was one area of change after the EDPB process.  If you are processing data you will need to be able to show how that meets a lawful basis under GDPR Art. 6(1).
  3. Don’t always rely on ‘legitimate interest’. Many organisations seem to think the legitimate interest basis for processing data is wider than it is.  We’ve had a number of cases at an EU and UK level which confirm that it’s a fairly narrow ground.  This case is part of that trend.  If you do rely on legitimate interest you’ll need a carefully reasoned position as to why it applies in your case.  That might include a formal Legitimate Interests Assessment (LIA) and you’ll also need to be transparent about the assessment you have made.
  4. The data protection principles are important. Here the DPC decided that the data had not been processed fairly, lawfully and transparently and that the right steps had not been taken to minimise the amount of data processed.  Looking at the data protection principles in GDPR Art. 5 and making sure you can demonstrate compliance is important.  Again a DPIA can help as part of that process.

More Information

You can read the DPC’s announcement here https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-instagram-inquiry

You can read the EDPB decision here https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-22022-dispute-arisen_en

For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.