£349 Million Instagram Fine is Anything But Child’s Play…

Instagram, owned by Meta, have been issued with a  £349 million fine over children’s data privacy by the Irish data protection regulator the DPC. The DPC have never before given such a large fine for a breach of under the General Data Protection Regulation (“GDPR”).

The enquiry carried out by the DPC considered the understandable concern over children’s phone numbers and email addresses, both of which are considered personal data under GDPR. Children between the ages of 13-17 were able to set up business Instagram accounts which would display their phone numbers and email addresses. Equally, the user accounts of children would be automatically set to “public” by default, unless the user changed their settings to “private”. This means that anyone could find that child online and see images and posts as well as having the ability to message them – a clear safeguarding issue. GDPR requires organisations to demonstrate privacy by design, which as illustrated above, the public profile of children does not demonstrate privacy by design. Most importantly, children’s data should be protected to a higher standard than an adults to ensure that there is appropriate safeguarding in place.*

There are two key points here when we are considering how this may affect businesses. For one, the fine demonstrates that all organisations should not be complacent when approaching the collection and processing of children’s personal data. For clarity, under UK GDPR a child is defined as anyone under the age of 18 however, specific guidelines are in place for children who are under the age of 13 (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/). Instagram, in collecting and processing the data of children under the age of 13 therefore, need to ensure that they have appropriate safeguards in place to safeguard their data. In this case, Instagram have failed to demonstrate to the regulator that they have fulfilled the privacy by design approach as well as protecting children’s data at a higher level.

Similarly, another point here is to mention the fact that regulators are taking children’s data protection (specifically) very seriously and you should be too. This is because as we can see demonstrated here, regulators are not afraid to give out large fines in order to get the point across. The importance of safeguarding children has also been reflected in the Online Safety Bill as well as The Children’s Code, suggesting to organisations that they too need to be reviewing their practices when it comes to children’s data. This is not to say that organisations should not be processing the data of children, rather that the risks of doing so should be identified and then mitigated, with the correct procedures and safeguards in place.

Should you want more information in relation to how to best safeguard children’s data in your organisation please contact us at admin@digitallawuk.com.

* Although it is worth mentioning that practices have changed since the initial regulatory investigation and the original issue in relation to children’s profiles being public has now been rectified in line with the Children’s Code (https://ico.org.uk/for-organisations/childrens-code-hub/childrens-code-design-guidance/).