Instagram — Enforcement

majorAnti-PrivacyJul 26, 2022 → Sep 5, 2022Enforcement

Executive Summary

The Irish DPC fined Instagram €405 million for GDPR violations related to children's data processing — the largest GDPR fine by the DPC at the time. The investigation found that Instagram allowed teens aged 13–17 to operate business accounts that publicly displayed their phone numbers and email addresses, and personal accounts of children were set to public by default. The case went through the EU's Article 65 dispute resolution process before the final decision.

Post LinkedIn Reddit Email

children-privacy eu-compliance enforcement

What Happened

On September 5, 2022, Ireland's Data Protection Commission finalized a decision to fine Instagram €405 million for GDPR violations related to children's data processing. The investigation, initiated in September 2020, found that Instagram allowed teenagers aged 13-17 to operate business accounts that publicly displayed their phone numbers and email addresses, and set personal accounts of children to public by default. The case went through the EU's Article 65 dispute resolution process after the Irish DPC could not reach consensus with other EU regulators, with the final decision adopted on September 2, 2022, recording violations of multiple GDPR articles including requirements for lawful processing, transparency, data minimization, and privacy by design.

Who Is Affected

Child users of Instagram between the ages of 13 and 17 were affected, particularly those who operated business accounts that exposed their contact information publicly. The violations also affected children whose personal Instagram accounts were set to public by default, potentially exposing their personal data more broadly than necessary. Instagram's parent company Meta was impacted with the record fine and requirement to implement corrective measures.

Why It Matters

This was the largest GDPR fine issued by Ireland's Data Protection Commission at the time, representing significant enforcement action on children's privacy protections. The case demonstrates how EU regulators can use the Article 65 dispute resolution mechanism to strengthen enforcement when individual regulators disagree, and it establishes clear expectations that social media platforms must implement privacy-by-default settings for children rather than requiring them to opt in to protection. The violations touched on fundamental GDPR principles including lawful data processing, transparency, data minimization, and privacy by design.

What You Should Do

If your child uses Instagram, review their account privacy settings immediately to ensure their profile is set to private rather than public. Check whether they are using a business account and if so, verify what contact information may be publicly displayed and consider switching to a personal account with private settings. Instagram has updated its settings since the investigation period, but parents should actively verify their children's accounts are configured to minimize public exposure of personal information.

AI-Assisted

Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.

Sources

Related Events