The Data Protection Commission of Ireland (DPC) has submitted a draft decision in a GDPR inquiry against Instagram. The DPC submitted the decision on December 3rd.
The DPC commenced an inquiry in September 2020 to examine the processing of children’s data by Facebook “in the context of Instagram”.
What’s the issue here?
In June 2019, a U.S. – based data scientist reported concerns to Instagram that its platform was leaking contact information of minors. However, Instagram failed to fix the issue, and David Stier published the details of his investigation. He claimed that Instagram openly displayed the contact information (email and phone) of children who changed the nature of their Instagram account to a ‘Business Account”.
As a result, millions of children had their contact information exposed.
The Irish DPC, a year later, opened an inquiry into the issue. Announcing the submission of the draft decision, Deputy Commissioner Graham Doyle has now revealed that the inquiry was “commenced in response to information provided to the DPC by a third party, and also in connection with issues identified by the DPC following examination of the Instagram user registration process.”
Two Pending Enquiries
In a statement to Techcrunch last year, the DPC confirmed two statutory inquiries into Facebook’s processing of children’s data on the Instagram platform.
It said, “The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children’s personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children.” It also said that it will consider if Facebook meets its obligations as a data controller with regard to “transparency requirements”.
Regarding the second inquiry, it said it will focus on Instagram profile and account settings to determine its “appropriateness for children”.
Restrictions on processing data of a child
Article 8 of the GDPR bars any data controller from processing the data of a child under 16 years of age. However, it can do so it obtains consent from the person who holds parental responsibility over the child.
The Irish DPC is also investigating TikTok to examine the company’s compliance with the transparency obligations with respect to the processing of personal data of users under age 18.
Submission of Draft Decision? What happens next?
The GDPR has a one-stop-shop mechanism. As such, businesses operating in more than one EU market would need to deal with only one ‘lead’ data protection authority [Article 56]. Since Facebook (now Meta) has its headquarters in Ireland, the Irish Data Protection Authority would be the lead authority here.
Further, according to Article 60 of the GDPR, the lead supervisory authority shall submit a “draft decision” to other supervisory authorities for their opinion and take account of their views. Other authorities now have one month to send their “reasoned and relevant objections”.
The lead authority can adopt & notify the decision only if other supervisory authorities don’t object to the draft decision. In case a supervisory authority raises an objection, the lead authority can adopt a revised decision. If they fail to reach a consensus, the European Data Protection Board (EDPB) can adopt a binding decision.
In July this year, the European Data Protection Board (EDPB) met after eight DPCs raised objections to the initial fine of €50 million against WhatsApp. Subsequently, the EDPB issued a binding decision and instructed the Irish DPC to reassess and increase its proposed fine. The DPC ultimately raised the fine to €225 million.