Instagram owner Meta has been fined €405m (£349m) by the Irish data watchdog for letting teenagers set up accounts that publicly displayed their phone numbers and email addresses.
The Data Protection Commission confirmed the penalty after a two-year investigation into potential breaches of the European Union’s general data protection regulation (GDPR).
Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, which showed the users’ phone numbers and email addresses. The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.
The DPC regulates Meta – which is also the owner of Facebook and WhatsApp – on behalf of the entire EU because the company’s European headquarters are in Ireland.
The penalty is the highest imposed on Meta by the watchdog, after a €225m fine imposed in September 2021 for “severe” and “serious” infringements of GDPR at WhatsApp and a €17m fine in March this year.
The fine is the second largest under GDPR, behind the €746m levied on Amazon in July 2021.
A DPC spokesperson said: “We adopted our final decision last Friday and it does contain a fine of €405m. Full details of the decision will be published next week.”
Caroline Carruthers, a UK data consultancy owner, said Instagram had not thought through its privacy responsibilities when letting teenagers set up business accounts and had shown an “obvious lack of care” in users’ privacy settings.
“GDPR has special provisions to make sure any service which targets children are living up to a high standard of transparency. Instagram fell foul of this when accounts of children were set to open by default rather than private.”
Last year
Read more on theguardian.com