GDPR: Instagram fined 405 million euros for failure to secure data

GDPR: Instagram fined 405 million euros for failure to secure data


An essential social network of our time, Instagram is also guilty of not having sufficiently secured the data of some of its users, judges the Irish personal data policeman.

Bad day for Instagram. The photo and video sharing social network has just inherited a record fine of 405 million euros for non-compliance with the GDPR. According to Politicothe Irish personal data policeman (the DPC) has just imposed a record fine on the subsidiary of Meta for not having sufficiently secured the data of minor users on its platform.

Problematic public data

This sanction is the result of almost two years of investigative work. Started at the end of 2020, the investigations of the Irish CNIL were interested in the way in which Instagram had made public personal information concerning minor users. Specifically, it’s Instagram’s laissez-faire attitude that’s really at issue here.

In 2020, many minors present on the platform converted their personal account into a professional account in order to take advantage of the advanced consultation statistics accessible only to this category of account. Problem, to pass from a personal profile to a professional profile requires the publication of data such as the telephone number and the email address of the holders of these accounts. As a result, a plethora of Internet users aged 13 to 18 (Instagram is not supposed to be accessible to those under 13) have seen their data generously published on the web.

To make matters worse, the DPC even claims that Instagram has made public by default certain accounts belonging to Internet users under the age of 18. A reprehensible practice according to Art. 8 GDPR, which specifies that the processing of the data of a user under the age of 15 must be subject to double validation; that of the account holder and that of his legal representative. Aware of the problem, Instagram has also changed its rules of use in 2021 so that all profiles of people under 18 are private by default.

Advertising, your content continues below

The fine imposed on Instagram is the second largest imposed under the guise of the GDPR. The first goes to Amazon and its 746 million euros for unconsented advertising targeting. It is also the third fine imposed on the Meta group, after a first of 225 million for WhatsApp and a second of 17 million euros for Facebook. At the maneuver, we find almost every time the Irish policeman of personal data, since the head office of Meta is located in the country – originally for tax reasons.

In defense, Instagram explained that “this survey was on old metrics that we updated over a year ago. Since then, we have released many new features to keep teens safe and their information private.“The company also explained to the AP news agency”have fully cooperated with the DPC investigation” but “disagree with the way the fine was calculated“. Instagram will therefore appeal this decision.

This surely won’t be the last time that Meta’s escapades have made headlines, as the European Commission has many other open investigations into this subject.

Advertising, your content continues below

Advertising, your content continues below