The Irish data regulator has submitted a draft decision about Instagram’s user registration process to other EU data protection authorities, bringing the total number of Irish decisions regarding Meta (formerly Facebook) companies to three.
In a 7 Dec. news release on its website, the Data Protection Commission (DPC) said it was submitting the decision pursuant to Article 60 of the General Data Protection Regulation (GDPR), as part of a process that enables other EU regulators to scrutinise decisions affecting individuals in multiple member states.
Meta—the parent company for Instagram, Facebook, and WhatsApp—bases its European operations in Ireland, along with several other major US tech companies including Microsoft and Google.
Allegations of Unlawful Processing of Children’s Data
The DPC’s news release did not provide details of draft decision, but it is likely to relate a statutory inquiry announced by the regulator last October into how Instagram’s parent company justifies the processing of children’s data.
Data scientist David Stier lodged a complaint against Instagram in September 2020 after exposing a “loophole” in the app that allowed children to convert their personal accounts to business accounts.
Instagram business account users receive additional metrics about interactions with their photos and videos, but at the time they were also required to publicly display their contact details. This led to some children’s data being publicly accessible.
In a June 2019 Medium post, Stier said Instagram had still not removed children’s data from the open web following his disclosure of the loophole four months earlier. Instagram later enabled business users to opt out of sharing their contact details.
Disagreements Among EU Regulators
In the DPC’s news release, Deputy Commissioner Graham Doyle noted that the Instagram draft decision was “the seventh DPC inquiry to have reached the Article 60 stage under the GDPR.”
In May 2020, following an investigation into a data breach at Twitter, the DPC submitted a draft decision proposing a fine of between €135,000 and €275,000.
Commenting on the proposed Twitter penalty, other data protection authorities said the amount was “too low” and would not “fulfill its purpose as a corrective measure.” The DPC was forced to increase the penalty, and in December 2020 imposed a fine of €450,000 against Twitter.
More recently, a decision against WhatsApp also came under criticism from other data protection regulators.
In a binding European Data Protection Board (EDPB) decision, several other data protection authorities said the DPC’s proposed fine of between €30-50 million was inadequate, and the Irish regulator eventually imposed a much larger penalty of €225 million.
A draft DPC decision regarding the Facebook platform is also currently at the Article 60 stage, following a complaint from privacy campaigner Max Schrems alleging that Facebook was “bypassing” the GDPR’s rules on consent.