A fat fine — of €405 million — is coming Instagram's way after European Union privacy regulators agreed on a long-running complaint regarding its treatment of children's data.
The situation involves a breach of the EU's General Data Protection Regulation (GDPR).
Meta has been contacted for comment on the penalty.
We understand the last GDPR determination on the question concerning Instagram was transmitted to Meta, parent of Instagram, Friday — before formal publication on the websites of the company's lead data controller in the EU, Ireland's Data Protection Commission (DPC); and the European Data Protection Board (EDPB), a governing body that assisted in a decision-review process that also included other interested EU data protection authorities — but the size of the fine for Meta appears to have leaked ahead of the time, via a story in Politico, that details the figure of the fine (which comes out to around $403 million at current currency exchange rates) but includes no more detail on the decision.
The DPC of Ireland confirmed the amount of the fine to us. In TechCrunch, Graham Doyle, deputy commissioner said: "We adopted our final decision last Friday and it does contain a fine of €405 million. Full details of the decision will publish next week."
The social media giant was hit with the largest GDPR penalty it has received to date, although not the largest ever imposed with a GDPR fine; Amazon received that honor — after a $267 million penalty levied upon the Meta-owned messaging platform WhatsApp last September for violating the transparency principle of the GDPR.
WhatsApp Faces $267M Fine for Breaching Europe's GDPR
The Instagram complaint was on how the company processed children's data for business accounts and on a user registration system it operated which the DPC determined could result in the accounts of child users being set to "public" unless user account settings changed to set it to "private".
The GDPR includes robust measures requiring privacy by design and default more generally —as well as provisions designed to strengthen the protections for children's information, specifically, and to ensure services directed at children are properly meeting transparency and accountability principles such as through communications sufficiently clear to be understood by the child).
The justification for the fine imposed on Instagram is going to be published in the following days, along with the final ruling, published next week, assuming it does not leak ahead of time.
While today's headlines are going to be painful reading for Meta, another social media firm likely to be watching developments very closely is TikTok, which is also under investigation by the DPC over its own handling of children's data. That enquiry was only opened by the DPC last year, so it's likely to have some time to run before a decision is reached.
The decision for Instagram needed more time than usual because other DPAs lodged objections to Ireland's draft decision - that had activated a provision of the regulation for the resolution of disagreements which can add many months to the timeline.
Ireland's decision over WhatsApp was put to scrutiny too after objections had been raised to its draft-and indeed, the size of the penalty was substantially increased in that case. It remains to be seen whether that is also the case in this instance regarding Instagram.