The Irish privacy authority issued a € 405 million fine against social platform Instagram for violating the GDPR in the collection and processing of data from users aged 13 to 17.
After WhatsApp was fined € 225 million in September 2021, Facebook entered into the Irish Data Protection Authority‘s target again a few months later, being fined € 17 million. On Sept. 3, 2022, that Irish Data Protection Commission (DPC) Deputy Commissioner Graham Doyle announced that, the day before, the Irish privacy authority had made a decision on the investigation involving the well-known social platform Instagram for two years now.
Zuckemberg’s social platform is affected by two main challenges. It is challenged:
- the ease with which certain personal data (such as email addresses and phone numbers) were exposed in the business accounts of teenagers aged 13 to 17, and
- how such business accounts were by default set as public – and therefore accessible and visible to the entire online community.
The social network in question had already found itself a year ago at the center of sharp criticism from parents and pedagogues concerned about the negative effects of likes on the mental health of younger people. In particular, they had linked the decrease in self-esteem given by a reduced number of likes on Instagram to the worsening of body-image and mental-health in underage users.
The Instagram Kids project had thus been shelved, and the choice had fallen to hiding the display of the number of likes from the eyes of social users. This change would seem to have brought more problems than solutions, spurring several very young people to opt for business accounts, thus being able to benefit from some additional features, such as algorithms that provide statistics with respect to the likes of a post. The ability to better understand one’s success on social then becomes an unequal trade-off, exchanged for personal information by baby-users, who often do not realize the consequences such exposure can have on the network. Indeed, the easy accessibility of data such as one’s call sign or email address opens millions of profiles to the risks of malicious activities such as scraping, which although legal in itself, can lead to unwanted intrusions into individuals’ privacy.
Meta, for its part, has already declared its intention to appeal the order to be issued soon, complaining about an erroneous quantification of the penalty and adding that there has been total cooperation with the Authority throughout the course of the investigation, which began in September 2020. No less relevant is the fact that the large sum would relate to items now dating back in time, since the Big Tech in question has already made the necessary changes to Instagram’s features, in compliance with the dictates of privacy by design and by default contained in the GDPR for the protection of sensitive users such as minors in the 13-17 age range. To date, in fact, setting an account in private mode is automatic for minors, allowing profile access only upon acceptance among followers. On the same trend aimed at shielding minors from unwanted approaches, it is stipulated that adults may not contact minors under 18 privately unless the conversation is initiated by them.
The issue of “minors and the information society” is extremely dear to European authorities, which are given a filtering role toward individuals who are particularly vulnerable in their online activities, more exposed and more likely to fall victim to activities such as behavioral advertisements. The delicate balance to be struck is that of the construction of the young person’s identity in today’s digital context (for which a total ban on access to social platforms would be unreasonable) and the need for strict rules that protect an early entrée to the Web.
On a similar topic, the article “Lessons learnt from WhatsApp’s massive GDPR fine” may be of interest.