The Irish DPC imposed a fine of €405 million on Meta Platforms Limited, relating to the processing of children’s data.
The Irish Data Protection Commission (DPC) recently imposed a fine of €405 million and a range of corrective measures on Meta Platforms Limited (Ireland), after an inquiry into the company revealed several GDPR infractions. The inquiry, which was related to the processing of personal data relating to child users of the Instagram social networking service, was initiated by the DPC almost two years ago, on 21 September 2020. It was initiated in response to information provided by a US data scientist, along with issues identified by the DPC itself, through an examination of the Instagram user registration process. The focus of the inquiry was the public disclosure of email addresses and/or phone numbers of children with the Instagram business account setting, as well as a public-by-default setting for personal Instagram accounts of children.
A draft decision was issued following the initial investigation in December 2021.
After conducting a comprehensive investigation, the DPC issued a draft decision to all Concerned Supervisory Authorities or CSAs (other regulators in the EU), under Article 60 of the GDPR in December 2021. However, there were objections raised by six of the other national regulators to the DPC’s draft decision. The case was then referred to the EDPB, as the DPC was unable to reach consensus with the other CSAs on the objections raised in line with Article 65 of the GDPR which covers the dispute resolution process.
In July 2022, the EDPB adopted a binding decision on the matter, dismissing many of the objections.
In July 2022, the EDPB adopted a binding decision, which rejected a considerable number of the objections made by other EU CSAs, but did uphold objections requiring the Irish DPC to amend its draft decision to include an infringement of Article 6(1) of the GDPR, as well as to reassess the proposed administrative fines, also taking this additional infringement into account. After incorporating these amendments, the DPC issued a decision on 2 September, 2022. The decision records findings of several GDPR infringements including that of Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2) and 35(1) of the GDPR.
The Irish DPC imposed a fine of €405 million on Meta Platforms Limited.
The original draft decision from the Irish DPC had recommended a fine of up to €405 million. After considering the EDPB’s binding decision, the Irish DPC decided to impose a fine on Meta Platforms Ireland Limited (Instagram) for the full amount of €405 million. This record fine included an amount of €20 million for the infringement of Article 6(1). In tandem with the administrative fines, the DPC has also issued a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of specified, actionable remedial steps.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.