Platforms, protect minors: A major decision by the Irish Data Protection Authority fines Instagram on an unprecedented scale

The sanction is due to several breaches of two fundamental principles of the GDPR, namely that a processing operation must be based on (i) a lawful purpose and (ii) a legitimate legal basis (consent, contract, law, legitimate interest, etc.).

This Irish decision is all the more fundamental as it saw the intervention of the EDPS, the European supervisory authority, which, as an arbitrator, forced the local authority to largely modify an initial opinion that was too favourable to Meta.

This decision is a first in many respects:

This decision is thus part of the more general European debate on the problem of uncontrolled access to the Internet by minors, or even their targeting, due to a lack of real capacity to identify them with certainty or the failure of certain platforms to demonstrate the necessary legal rigor.

Procedurally, the case began with an audit of Instagram by the Irish Data Protection Commission ("DPC").

It should be noted that on Instagram there are two types of accounts: 

The investigations focused on the legitimacy of the public nature, by default or compulsory, of the accounts and certain personal data of underage users on Instagram. Numerous breaches were found in this respect, which undermine the need to overprotect these children and their data, particularly on the Internet.

As Instagram affects most European countries, several other national supervisory authorities were competent to hear the case (France, Germany, Italy, Norway, Finland, Netherlands...). 

The Irish DPC, designated as lead supervisory authority and in accordance with the procedural rules of the GDPR, therefore submitted its draft decision to said authorities. Said draft decision did not identify as many real breaches on the part of Meta as the final decision. 

These authorities then raised numerous objections, expressing their disagreement with the CPD's position, which was considered too lax with regard to the rules of Article 6 GDPR. In his role as arbitrator, the EDPS took up the case to examine these objections and to issue a decision, in this case binding, to the CPD. It forced the Irish authority to reverse its analysis and decision, and to impose a particularly high "deterrent" fine.

The facts of the case can be summarized as follows:

The creation of an Instagram account, by an adult as well as by a child (from 13 years old on Instagram), naturally requires the acceptance of the Terms of use of Instagram. There is already the preliminary question of the legal capacity of a minor to enter into a contract, which varies from country to country in the EU.

For each individual Instagram account, there is obviously a certain amount of personal contact information that identifies and characterizes the account. A classic individual account is set as public (visible to users) by default, unless the holder opts for a private account.

Instagram also offers public "business" accounts. Any individual account holder (including an underage user), if he/she has a professional activity, can transform his/her individual account into a business account.

Opening a business account requires additional contact information, such as an email and/or phone number. Given the business nature of these accounts, this additional information was set up by Instagram to be publicly available on the account holder's profile to any Instagram user, without filtering or encryption. In addition, the same data, due to an overly open source code, could be accessible on the Internet to a wider public, not being an Instagram user.

The two main types of potential breaches therefore concerned: 

The first question was therefore: Is Instagram legitimate in imposing public character, by default, on personal data of business accounts, when the account is held by a minor?

To justify such publication of personal data by default, without prior specific consent, Meta invoked two legal bases, depending on whether or not the legislation of the country concerned allowed a child to contract validly: (i) the contract (Instagram's Terms of Use) in case of the minor's legal capacity or (ii) Meta's legitimate interest in case of the minor's legal incapacity.

First of all, the EDPS recalls that, whatever the processing operation, minors must benefit from enhanced protection that is highly adapted to their specific risks, and from clear and comprehensible information, both of which are more demanding than those applicable to treatment targeting adults.

Addressing the issue of the contractual legal basis (Article 6(1)(b)), the EDPS also recalled that in this case two criteria had to be fulfilled: 

Thus, the EDPS found that Instagram's Terms of Use, which are very long and detailed like all social networks' Terms:

Then addressing the issue of the 'legitimate interest' legal basis (Article 6(1)(f) GDPR) in case of incapacity of the minor to enter into Terms of Use, the EDPS first recalled the exceptional nature of this category of legal basis, the choice of which must therefore be justified with more rigor. When this legal basis is invoked, the data controller must establish, in particular, by means of a balance of interests, that the fundamental rights and freedoms of the individuals concerned do not override the alleged interest of the controller.

The EDPS considered that in this case of processing of business accounts, the mandatory public character of this contact data (before 2019) was neither indispensable for the operation of business accounts nor legitimate to the extent that it overrides the fundamental rights and freedoms of a minor. For the period after the addition of an opt-out in September 2019, the EDPS also considered that, despite this compliance with the legitimate interest rules, it was not sufficient to outweigh the level of risks involved in the advertising of data of minors, nor the consequences of the occurrence of said risks.

The second question was: Is Instagram legitimate to impose, by default, the public character of a standard Instagram account opened by a child, rather than its private nature?

The CPD, not contradicted by the EDPS, considered that, while Instagram's 'personal data policy' did include information on the purposes pursued by such processing, supposedly justifying this public nature by default:

In the end, the EDPS recalled the applicable rules, both contextual and principal, for assessing the amount of an administrative fine, in particular its potential dissuasive nature. These rules were aggravated by the negligent or even intentional character of some of the breaches identified by the CPD.

In total, the cumulative sanctions for the various breaches identified amount to EUR 405 million, an unprecedented sum in the history of the EDPS.

Through these deliberately exemplary and dissuasive decision and sanction, the EDPS is sending a clear signal to economic operators who welcome, or even target, minors, in particular on the Internet, a borderless breeding ground for abuse:

Adapt your processing to the very specific requirements of overprotection of minors' personal data, even if this requires much more demanding procedures than those applied to adults!

After another decision by the Irish CPD, earlier this month, prohibiting the transfer of Facebook and Instagram user data from the Old Continent to the United States, due to the rights of scrutiny of certain American authorities, this new decision fuels Meta's reflection on whether or not to maintain its two flagship applications in Europe.

The battle between two conceptions of fundamental freedoms is tense between the public interests defended by a normative text as demanding as the GDPR, and the interests of international platforms, based on a very liberal vision of individual rights.