Ireland’s Data Protection Commission has issued a fine of €405m ($402.2m) against social media site Instagram following an investigation into its handling of children’s data.
Instagram had allowed children to run business accounts, which explicitly exposed the account holder’s phone number and email address – considered to be minor data(13-17 years).
A Meta spokesperson said Instagram updated its privacy settings more than a year ago and has since published new features aimed at keeping teens safe and their information private. The company also reportedly engaged fully with the regulator throughout the investigation but disagreed with how the penalty was calculated.
The DPC fine against Instagram is the second–highest fine issued under GDPR, following a €746m ($740.8m) penalty dropped against Amazon in July 2021.
This is not the first time; a hefty fine has been imposed. In fact, the Data Protection Commission served a €225m fine to WhatsApp in September 2021 for failing to discharge GDPR transparency obligations.
More recently, the DPC fined Meta €17m ($19m) in March 2022 over an inquiry into 12 data breach notifications.
The relationship between Meta and DPC is turbulent, few other factors also fueling the social media giant to recently say it will likely its services from operating in Europe unless the firm is allowed to deal with Europeans’ data on servers based in the United States.