Instagram fined $402 million in EU for allegedly mishandling children’s data

Instagram is being hit with the second-largest European Union privacy fine for allegedly mishandling data about children, ramping up the bloc’s enforcement of its privacy law against big technology companies.

Ireland’s Data Protection Commission said Monday that it fined Instagram owner Meta Platforms Inc. META 1.17%▲ 405 million euros ($402 million) in a long-running investigation that had looked at minors who operated business accounts on the service, potentially exposing more of their contact information than if they operated a personal account.

The Irish data regulator, which leads privacy enforcement in the EU for Meta and other technology companies with European headquarters in Ireland, said it has finalized the decision including the fine after incorporating changes ordered by a body representing all of the bloc’s privacy regulators, and planned to publish it next week.

Meta said the decision related to old settings it had updated more than a year ago, and that it plans to appeal the calculation of the fine.

Until late 2019, Meta said Instagram displayed business users’ contact information by default, but now it makes it optional. Users under 18 years old also now have their accounts set automatically to private when they sign up, among other new safety features, the company said.

Politico earlier reported on the amount of the Instagram fine.

The decision’s focus on children hits a sensitive area for social-media companies: their handling of minors on their services. Instagram faced criticism and investigations after The Wall Street Journal published articles showing that the company’s internal research found Instagram was harmful for teenage girls with body-image concerns, and the company later paused development of an Instagram kids app.

Last week, California legislators passed a bill that would require the makers of social-media apps like Instagram and TikTok to consider the physical and mental health of minors when designing their products. California Gov. Gavin Newsom must sign the bill for it to become law.

The Instagram fine works out to about 1% of Meta’s net income for 2021. But it might presage EU privacy decisions with greater potential to force changes to data-collection practices by many big tech companies if they are confirmed in likely court appeals. That could have ripple effects on the broader digital advertising and social-media sectors.

Ireland has 37 other pending privacy cases involving big tech companies. They include a case looking at whether Meta has the right to collect certain kinds of information about its users as a condition of using the service, and about whether some of the standard plumbing of digital-ad auctions comply with EU law.

Another case led by Ireland could order Facebook to stop sending data about its users to servers in the U.S. Meta has said in securities filings that if that decision is enforced before the EU and U.S. work out a new legal pathway for such data transfers, that it could suspend some of its services in Europe.

Those privacy cases are coming to a head at the same time as EU regulators have been taking a more aggressive line on enforcing its General Data Protection Regulation, after complaints from privacy activists that regulators – particularly in Ireland – have been too slow. Under the law, regulators from across the block have the right to weigh in on big cases that stretch across borders, and they have been using that right to push for additional charges and bigger fines in some recent decisions.

Last year, Luxembourg fined Amazon.com Inc. 746 million euros and Ireland fined WhatsApp 225 million euros for alleged privacy violations. Both companies contested the decisions and said they would appeal. WSJ