Record fine for Instagram following EDPB intervention

Sep 15, 2022

Source: European Data Protection Board

Brussels, 15 September – Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine.

The LSA’s final decision follows an own-volition inquiry into Instagram’s public disclosure of email addresses and/or phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children, during the period falling within the temporal scope of the inquiry. A practice which has since ended as a consequence of the LSA’s inquiry. EDPB Chair Andrea Jelinek said: “This is a historic decision. Not just because of the height of the fine – this is the second highest fine since the entry into application of the GDPR – it is also the first EU-wide decision on children’s data protection rights. With this binding decision, the EDPB makes it extra clear that companies targeting children have to be extra careful. Children merit specific protection with regard to their personal data.”

The EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority (LSA) had triggered the dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decision following the dispute resolution process.

This is the first binding decision of the EDPB addressing one of the fundamental pillars of EU data protection law: the lawfulness of processing in accordance with Art. 6 GDPR. In particular, the EDPB provided further clarification on the applicability of the legal bases of ‘performance of contract’ and ‘legitimate interest’.

Meta IE relied on these two legal bases alternatively for the publication of email addresses and/or phone numbers of children who used Instagram business accounts. The EDPB found that there were no grounds for the LSA to conclude that the processing at stake was necessary for the performance of a contract. Consequently, Meta IE could not have relied on Art. 6(1)(b) GDPR as a legal basis for this processing.

As regards legitimate interest, as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest.

The EDPB therefore concluded that Meta IE processed children’s personal data unlawfully without a legal basis and instructed the LSA to amend its draft decision in order to establish the infringement of Art. 6(1) GDPR.

Finally, the EDPB instructed the LSA to reassess its envisaged administrative fine in accordance with Art. 83(1) and 83(2) GDPR to:

impose an effective, proportionate and dissuasive administrative fine for the additional infringement, taking into consideration the nature and gravity of the infringement, as well as the number of data subjects affected;
ensure that  the  final  amounts  of  the  administrative fines are effective, proportionate and dissuasive.

This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.

The final decision taken by the Irish DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more