According to various reports, on the 5th September 2022, the giant social media Instagram was sanctioned to pay a fine of $400M by the Irish data protection commission.
The investigation, which started in 2020, focused on child users between the ages of 13 and 17 who were allowed to operate business accounts. Business accounts provides advanced metrics for tracking views and likes but prone to publishing users’ phone numbers and email addresses under default settings.
A study by data analyst David Stier, revealed that more than 60 million Instagram users under the age of 18 changed their personal accounts into business accounts, unwary that their data would be published as per default setting. It was on this basis which the Irish Data Protection Commission sanctioned the fine.
However, Instagram disagrees with how the fine was calculated and plans to appeal against this decision. Moreover, reports suggested that Instagram updated its settings over a year ago and has since released new features to keep teens safe and their information private, in conformity with the GDPR regulation.
This fine is currently a new record fine for Ireland and the second highest fine ever sanctioned under the GDPR regulation. Here below is a recap of the biggest fines sanctioned by the several GDPR commissions:
For reminder, the GDPR is an extraterritorial law. Any organization which processes data of EU citizens have the obligation to protect the citizens data accordingly to the requirements of the GDPR. If you process data of EU citizens and you are based in Mauritius, you still have to follow the guidelines established by the GDPR.
If you wish to have an assessment of your level of compliance, please contact us for a free consultation.