September 22, 2022
We wish to bring to your attention an important decision recently made by the Irish Data Protection Commission (“DPC“) against Meta Platforms Ireland Limited (“Meta“), in the context of children’s personal data processed as part of Instagram services. As shall be detailed below, the decision focused on Instagram’s public disclosure of email addresses and phone numbers of children using the Instagram business account feature and a public-by-default setting for personal Instagram accounts of children.
The DPC submitted in December 2021, a draft decision to all the European Concerned Supervisory Authorities (“CSAs“). As certain member states raised objections, the DPC referred the case to the European Data Protection Board’s (“EDPB“). Following the EDPB’s binding decision dated July 28th 2022, the DPC announced its final decision against Meta, imposing a fine of €405 million and a range of corrective measures for the processing of personal data relating to children using the Instagram platform, determining that such processing violates various Articles of the General Data Protection Regulation (“GDPR“). The fine imposed by the DPC is the second-largest fine imposed by a European regulator for GDPR violations and the first European decision directly related to children’s data protection rights, emphasizing that companies targeting children must be cautious and provide specific protection with regard to children’s personal data.
The inquiry was initiated on September 21, 2020, following issues identified on Instagram’s registration process, with regards to the Instagram “business account” (offered as new feature as of 2016), enabling public disclosure of email addresses and phone numbers of children using business accounts and a public-by-default setting for personal Instagram accounts of children between the ages of 13 to 17. Until September 2019, users, including child users, who switched to a “business account” were required to display additional public-facing contact details in the form of an email address or a phone number which were published on the user’s profile. Meta relied on the legal bases of ‘performance of contract’ and ‘legitimate interest’ for the publication of email addresses and phone numbers of children who used business accounts.
EDPB & DPC Decision – Overview
The EDPB and DPC decisions records findings of infringement by Meta of the GDPR, related to the Instagram services, and mainly:
Instagram could not relay on “performance of a contract”:
The EDPB found that there were no grounds for the DPC in its draft decision to conclude that the processing was necessary for the performance of a contract and Instagram could not have relied on Article 6(1)(b) of the GDPR as a legal basis for this processing.
Instagram could not relay on “legitimate Interest”:
Regarding legitimate interest as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and phone numbers of children did not meet the requirements under Article 6(1)(f) of the GDPR, as the processing was either unnecessary or, it did not pass the balancing test required when determining legitimate interest, especially when the data subjects concerned are children.
In addition, the transparency of the information provided has an impact on the reasonable expectations of the data subjects. Likewise, adequate and sufficient additional safeguards are those that unquestionably and significantly reduce the impact on data subjects. These are important elements to take into account in the assessment of the balancing of interests and such were not provided by Instagram. The EDPB noted, that regarding the processing of personal data of child users after 4 September 2019, the option screen stating that the contact information would be displayed publicly in the profile of the users “so people can contact you” – could have allowed child users to understand that any person could contact them and opt-out. Notwithstanding, the EDPB concludes that these elements are insufficient to change the balancing test’s outcome in light of the aforementioned considerations, especially due to the risk resulting from the publication of children’s contact details and insufficient warning about such risks.
The DPC in its final decision addressed the implementation of public-by-default audience setting by Meta for all child users, and its legality under the GDPR, and mainly the data minimization principle, and privacy by default and design, as follows:
The DPC declined Meta’s argument that the sole or primary purpose of Instagram is the open sharing of social media content with anyone on or off Instagram. While open sharing of content is one valid purpose, many Instagram users choose to restrict who can see their content by switching their accounts to “private”. Accordingly, Instagram’s registration process made no reference to public or private audience settings, or the possibility that the user could make their content private. In circumstances where child users may not be aware of the risks, consequences and safeguards in relation to processing, the public-by-default audience setting facilitates the publication of children’s personal data to an indeterminate global audience before the child user had noticed the default setting, or had restricted access to the account. This practice resulted that data of child users who wished a private Instagram account was not limited to what was necessary to such purpose of processing.
Regarding data minimization, the DPC stated that the default processing arrangement was not necessary or proportionate, on the basis that child users may have had a reduced ability to apply privacy settings, on the basis that processing in the context of public accounts was global, and was not necessary for the cohort of child users who did not wish to operate a public account. The DPC further noted that Meta has not conducted a DPIA in respect of this high-risk processing. As a consequence of the failure to carry out a DPIA under the GDPR, Meta is not able to demonstrate it complies with the GDPR in respect of this processing. In addition, the implementation of a public-by-default audience setting, and therefore expecting all child users to have sufficient technical knowledge to change this setting, Meta has created conditions in which unnecessary publication of child users’ social media content may occur.
Fines & Corrective Measures:
The DPC imposed on Meta a substantial fine in the amount of €405 million. In addition, the DPC has imposed corrective measures, and among others: (i) to provide child users with information in a clear and transparent form on the purposes of the public-by-default processing; (ii) to directly notify, using dynamic in-product notifications, all users of business accounts who switched to an Instagram business account between 25 May 2018 and 4 September 2019 and were children at that time, that Meta has removed its requirement that child users publish their contact information on Instagram business profiles; (iii) to conduct an impact assessment on the protection of personal data in respect of any ongoing contact information processing and public-by-default audience setting and implement appropriate measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed; (iv) to reassess, for the purpose of the contact information processing, its reliance on Articles 6(1)(b) and 6(1)(f) by reference to the assessments, deliberations and conclusions of the EDPB, and to take the remedial action necessary to address the deficiencies.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.