Instagram Lands $400 Million Fine For Mishandling Children’s Data

As Meta lands another big fine for mishandling data, we ask - when will social media platforms learn?
7 September 2022

What will it take for social media platforms to practice good data stewardship?

Meta, the company behind Facebook, Instagram, WhatsApp, and Messenger, is having a bad year when it comes to its handling of its users’ data. It’s currently dealing with two class action suits due to Facebook’s acquisition of confidential health data from medical technology (and in one case, the use of that data to target advertising at users). Children’s charities are up in arms about its plans to add end-to-end encryption to Messenger, which they say will help child abusers and groomers get away with their illegal activities. And now, Instagram has been handed a fine of over $400 million by Ireland’s Data Protection Commission as the result of an investigation into how it handled the data of children.

The investigation came about after Instagram allowed children between the ages of 13-17 to operate business accounts on the platform. To do that, for the sake of general business transparency, Instagram requires the publication of the account holder’s phone number and/or email address. Instagram’s system also set that identifying data as “public” by default.

That’s in breach of what’s known as the GDPR – the General Data Protection Regulation, which operates across the whole of Europe. While in some respects it’s regarded as a sledgehammer regulation, forcing businesses to conform to privacy standards far in excess of those that exist in other regions, including the US, the GPPR has full backing from the European Union, and fines for infringing its terms have often been on the heavy side.

Bumping Into the GDPR

The $403 million fine for Instagram is Meta’s heaviest infraction cost to date, but by no means its first. Back in March, 2022, Meta was fined almost $17 million for 12 data breaches across the course of 2018, and in July, 2021, WhatsApp was handed a $266 million dollar fine – raised from an initial 50 million Euros after the EU privacy watchdog pressured the Irish Data Protection Commission to increase WhatsApp’s culpability, so that the fine would be taken seriously.

None of Meta’s individual fines though as yet compare with the astounding fine given to Amazon in July, 2021. The shopping tech giant was handed a fine of over $880 million for processing private date in contravention of the GDPR, by the Luxembourg National Commission for Data Protection.

Instagram has updated its own settings over a year ago, and has now released new features designed to keep children and teenagers safe and their information private. It’s also shelved plans for a child-centered but separate version of Instagram. That does suggest that Meta is beginning to get an idea that it cannot continue to flout data regulations in Europe.

But the continued fines meted out to tech giants for their misuse or mishandling of information across Europe – and the fact that, as with Instagram’s latest infraction, they keep appealing to get the fines reduced, claiming they are in some sense “unfair” or “disproportionately high” (potentially by comparison to the fines that would be levied in the States) – suggests that there’s a disconnect between these tech giants and the serious impacts their casual use and handling of user information can have. It suggests a corporate mindset where users give up all rights to their data, whether it’s public or private, by agreeing to use the platforms. While there’s a degree to which that’s inevitable – public information shared on social media is deemed to be in the public arena, and so can be used – the mindset feels like it underpins a culture where any amount of poor data stewardship is simply the price of doing social media business, and where fines are merely bumps in the road.

The Facebook Data Cases

In a sense, that mindset bodes ill for the two Facebook cases, which have been brought in the US, where there’s no overall equivalent of the GDPR. The cases hinge on the automatic transmission of patient data packets from hospital or clinic booking systems. Facebook received those data packets, including the patient’s name, the doctor’s name and the reason for the appointment, entirely outside the normal data usage policies of the social media platform. In at least one of the cases, that health data was then used to target the patient with healthcare-related advertising. In the post-Roe world, Facebook’s auto-gathering of health data might yet have dangerous or even fatal consequences if the data were to find its way into the hands of unscrupulous data brokers.

There are rumors that after the November midterms, there might well be moves in the new legislature to more aggressively regulate the ways in which tech giants, and social media in particular, are allowed to gather and use the data of their platform’s users. Given the ongoing way in which Meta and other tech giants keep bumping into the walls on the issue of data stewardship in Europe, it’s arguable that something like a US version of the European GDPR might be the only way to teach the giants of the social media world to be better data stewards.