Instagram fined for breaching data protection rules

In May 2018, the GDPR came into force across the EU and many businesses thought the sky would fall. The mammoth piece of EU legislation incorporated, amongst other things, a new standard for obtaining consent to process personal data, stricter controls when transferring personal data out of the EU, as well as enhanced rights for data subjects and enhanced obligations on data controllers and processors.

Almost four and a half years later, the GDPR is now a household phrase and we have seen significant change in the way that businesses behave (e.g. even small businesses are more attuned to their obligations as data controllers) and in the way that supervisory authorities behave (e.g. an increase in the number of fines and other penalties handed down for non-compliance).

As Ireland is home to the EU headquarters of some of the world’s largest technology companies, it’s not surprising that the Irish Data Protection Commissioner (the Irish equivalent of the ICO) has been particularly active in this area.

Most recently, the Irish Data Protection Commissioner imposed a €405 million fine on Facebook/Meta for violating children’s privacy on its Instagram service. The breaches that gave rise to the fine arose because the phone numbers and email addresses of millions of teenage Instagram users were inadvertently published in accordance with Instagram’s default settings for “business accounts”. This is the second significant fine imposed on Facebook/Meta in the last two years, having previously received a fine of €225 million in relation to WhatsApp for non-compliance with data protection rules.

Facebook/Meta have said that the default settings that gave rise to the breach have since been changed and that the fine will be appealed (with a view to challenging the basis of calculation for the fine).

Briffa comment

One thing is clear: Data protection compliance is a major consideration for any business involved in the processing of personal data. Businesses involved in the processing of special category personal data (such as personal data relating to health, political opinions or philosophical/religious beliefs) are particularly at risk, as are businesses involved in the processing of personal data on a large scale or other high-risk the processing of personal data.

If you are thinking of developing an app/platform or other business that is likely to involve the processing of personal data relating to customers, subscribers, sellers, buyers or other users, it is crucial to get your head around your data protection obligations as early as possible. Indeed, the principle of ‘data protection by design’ requires that data controllers consider their data protection obligations from the outset and that safeguards and other appropriate organisational and technical measures are built into their processes to ensure that data protection obligations are complied with.

If you would like a free consultation to discuss your new app/platform or other business and how we can help with your data protection and intellectual property requirements, please do not hesitate to contact us at info@briffa.com.