Irish Regulator Submits Draft Decision on Instagram’s Use of Children’s Data

By Robert Bateman2021-12-08T11:00:00+00:00

No comments

The Irish data regulator has submitted a draft decision about Instagram’s user registration process to other EU data protection authorities, bringing the total number of Irish decisions regarding Meta (formerly Facebook) companies to three.

Instagram logo

In a 7 Dec. news release on its website, the Data Protection Commission (DPC) said it was submitting the decision pursuant to Article 60 of the General Data Protection Regulation (GDPR), as part of a process that enables other EU regulators to scrutinise decisions affecting individuals in multiple member states.

Meta—the parent company for Instagram, Facebook, and WhatsApp—bases its European operations in Ireland, along with several other major US tech companies including Microsoft and Google.

Allegations of Unlawful Processing of Children’s Data

The DPC’s news release did not provide details of draft decision, but it is likely to relate a statutory inquiry announced by the regulator last October into how Instagram’s parent company justifies the processing of children’s data.

Data scientist David Stier lodged a complaint against Instagram in September 2020 after exposing a “loophole” in the app that allowed children to convert their personal accounts to business accounts.

Instagram business account users receive additional metrics about interactions with their photos and videos, but at the time they were also required to publicly display their contact details. This led to some children’s data being publicly accessible.

In a June 2019 Medium post, Stier said Instagram had still not removed children’s data from the open web following his disclosure of the loophole four months earlier. Instagram later enabled business users to opt out of sharing their contact details.

Disagreements Among EU Regulators

In the DPC’s news release, Deputy Commissioner Graham Doyle noted that the Instagram draft decision was “the seventh DPC inquiry to have reached the Article 60 stage under the GDPR.”

In May 2020, following an investigation into a data breach at Twitter, the DPC submitted a draft decision proposing a fine of between €135,000 and €275,000.

Commenting on the proposed Twitter penalty, other data protection authorities said the amount was “too low” and would not “fulfill its purpose as a corrective measure.” The DPC was forced to increase the penalty, and in December 2020 imposed a fine of €450,000 against Twitter.

More recently, a decision against WhatsApp also came under criticism from other data protection regulators.

In a binding European Data Protection Board (EDPB) decision, several other data protection authorities said the DPC’s proposed fine of between €30-50 million was inadequate, and the Irish regulator eventually imposed a much larger penalty of €225 million.

A draft DPC decision regarding the Facebook platform is also currently at the Article 60 stage, following a complaint from privacy campaigner Max Schrems alleging that Facebook was “bypassing” the GDPR’s rules on consent.

Topics

No comments

Article
US state legislators driving AI regulation despite resistance from industry chiefs

2024-04-26T12:49:00Z

Lawmakers from various regions across the United States are taking the reins in significant legislative drives to oversee the use of AI technology.
Article
US utilities struggling to meet demand of energy-thirsty AI

2024-04-19T11:53:00Z

In the US, demands for power are outstripping availability as energy-thirsty technologies such as generative AI pile pressure on national electrical systems.
Article
Banks poised for increased risk due to AI

2024-04-19T09:06:00Z

A leading banking regulator has issued a stern warning over the risks that financial institutions face as they move to integrate artificial intelligence (AI) and machine learning (ML) into governance operations.