Ireland: DPC fined Meta/Instagram EUR 405 million for mishandling minors' personal information

On 15 September 2022, the Irish Data Protection Commission (DPC) closed its investigation into Meta, previously Facebook, regarding processing children’s data on its platform Instagram and issued a fine of EUR 405 million. The DPC opened the investigation into Facebook’s compliance with the General Data Protection Regulation (GDPR) in September 2020 after the agency received complaints regarding the lack of legal basis for processing children’s data. The investigation focused on how personal data of minors, including email addresses and phone numbers, were displayed on Instagram. In its decision, the DPC noted that Facebook failed to comply with the principles relating to the processing of personal data, data minimization and data protection by design and default requirements. Furthermore, the DPC stated that Meta has to change its data processing practices to comply with the GDPR provision.