The Irish data protection authority has fined Instagram €405m over how the company processed children’s data—the second largest GDPR fine on record.
The final Instagram decision was confirmed by the Irish Data Protection Commission (DPC) to Politico on Monday but has not yet been published.
However, based on what we already know about the investigation into Instagram, the decision is likely to provide some important lessons about children’s privacy and the principle of “data protection by design and by default”.
Big Tech’s Regulator
Ireland is the European home to many of the world’s largest tech firms, including Meta (which owns Instagram, Facebook and WhatsApp), Microsoft, Google, and many more.
The abundance of Silicon Valley firms in Ireland means that the Irish DPC is, effectively, the EU’s “big tech regulator”.
But the Irish regulator has been criticised for allegedly failing to enforce the law against such companies.
In January, for example, European Commissioner for Justice Didier Reynolds defended the DPC after several European Parliament members called for disciplinary action against the regulator.
And back in March 2021, the Irish Times reported on an “an unprecedented war of words” between the DPC and other European regulators over the handling of a complaint about Facebook.
However, several decisions against Meta-owned companies have been initiated in the past year, including a €225m penalty against WhatsApp and a €17m fine against Facebook in March.
Last December, the DPC said it had submitted a draft decision against Instagram as part of the GDPR’s Article 60 process, which allows other data protection authorities to review and object to decisions that affect individuals in multiple member states.
At the start of the investigation, the DPC said it would be assessing Instagram’s “reliance on certain legal bases for its processing of children’s personal data”. The DPC also said it would be examining Instagram’s compliance with transparency obligations.
The DPC’s investigation would also focus on ”Instagram profile and account settings” for child users and “adherence with the requirements in the GDPR in respect to Data Protection by Design and Default”.
Children’s Account Settings
While we don’t yet have a copy of the final Instagram decision—or even the draft—it’s clear that the investigation related to issues raised in 2019 by data scientist David Stier.
Stier published allegations about Instagram in a June 2019 Medium post with a provocative title: “Instagram offered free analytics to children and in exchange, Instagram showed their cell phone # & email in plain sight to a billion strangers”.
Stier’s research revealed that some child users of Instagram’s phone numbers and emails were publicly accessible to “over 1,000,000,000 users”. Stier attributed this to a “backdoor” that allowed children to convert their Instagram accounts to business accounts.
Instagram business account users can access additional analytics about engagement with their stories. But at the time, business account users were also required to make their phone number or email address publicly available.
The researcher said he had raised the issue with Facebook (now Meta) in late February 2019. Stier claimed that the issue had still not been resolved at the time of writing the post four months later. In fact, Stier claims that Instagram had explicitly refused to mask business users’ personal data.
In his Medium post, Stier also criticised Instagram’s account setup process.
Under Meta’s terms of service, children under 13 are not allowed to set up an Instagram account.
But Stier noted that “age verification is typically not required unless you give some indication that you are under the age of 13 (such as writing in your bio that you are in the 4th grade or were born ten years ago).”
Data Protection by Design
Children aside—should anyone have to publish their email address or phone number in order to access Instagram’s advanced business account metrics?
Under the principle of “data protection by design”, arguably not.
Article 25 (2) of the GDPR states that controllers (like Meta) must “ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.
Stier pointed out that when a user clicks the “email me” link on an Instagram business profile, Instagram opens the user’s email client and reveals the email address in plaintext.
This functionality, Stier argued, gave rise to the possibility that data could be “scraped” en masse from the platform.
An alternative, Stier suggested, is the model employed by platforms such as classified ads website Craiglist, which provides anonymous emailing facilities via a web form.
Facebook responded to Stier’s allegations in an October 2020 BBC article, claiming that Stier’s post was a “mischaracterisation” of Instagram’s account settings and stating that it had made “updates” so that users could “opt out of including their contact information entirely”.
However, it is worth noting that clicking the “email me” link on an Instagram business account still provides the user’s email address in plain text.
Given that €405m is the second largest GDPR fine on record, the changes Instagram implemented might have been too little, too late.