The Irish Times view on Instagram and children’s rights: a dereliction of duty

It should not be necessary for inquiries under GDPR to guard against a cavalier attitude to child or adult privacy

The €405 million fine on Facebook owner Meta follows a €225 million sanction against the firm's WhatsApp unit one year ago.
The €405 million fine on Facebook owner Meta follows a €225 million sanction against the firm's WhatsApp unit one year ago.

A €405 million fine on Facebook owner Meta Platforms for violating teenagers’ rights on the Instagram app reflects deep concern about the tech giant’s lax attitude to privacy. This penalty from Irish data protection commissioner Helen Dixon follows a €225 million sanction against its WhatsApp unit one year ago. Meta faces a third fine after an investigation into a complaint from Austrian campaigner Max Schrems, which centres on the legal basis Facebook relies on to process data.

Meta will appeal the Instagram ruling, as it did the WhatsApp penalty. The company insists nothing is more important to it than the privacy and safety of its app users. But such words do little to reassure. At issue here was disclosure to the world at large of children’s email addresses and phone numbers in Instagram’s business account format and a default public setting for children’s accounts. Potentially millions of teenagers were affected.

Common sense alone suggests these are unacceptable hazards – and it should not be necessary for inquiries under Europe’s general data protection regulation (GDPR) to guard against a cavalier attitude to child or adult privacy. The contested settings have since been changed. But in an era of pervasive threats from those who misuse social media to exploit the vulnerable, this was an egregious dereliction of duty. Still, the fine may be no more than a blip for the company. Meta reported net profits equivalent to €6.7 billion in the three months to June. With such enormous volumes of money at stake when large companies use consumers’ personal data, the need for robust and timely enforcement of privacy law is all too urgent.

As with WhatsApp, however, the Instagram fine comes only after six of Dixon’s European counterparts objected to her original conclusions. Nine months of argument in Brussels followed her draft decision in December. That is far too long. With a large number of cross-border GDPR inquiries still outstanding, the effort to hold Big Tech to account is undermined by bureaucratic delay and disputes between regulators.