The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

€405 million fine to Instagram

Ireland’s supervisory authority (Data Protection Commission “DPC”) on September 2, 2022 fined social media platform Instagram – of the Facebook group, now called Meta – €405 million for GDPR infringements. This is the largest fine imposed by this authority and the second ever imposed by an EU privacy authority, following the €746 million fine imposed by the Luxembourg authority against Amazon

The decision follows an investigation into child data breaches launched in September 2020 by the Irish authority into Meta Ireland’s processing activities.

Figure – Current major GDPR fines already imposed and fines imposed by the Irish authority on Meta group companies as of September 2022.

Previous fines imposed to Meta

In 2021, the DPC had fined WhatsApp, also owned by Meta, €225 million, again for GDPR violations, and this latest sanction is the third that the DPC is imposing on a Meta group company (in addition to €17 million against Facebook, imposed in March 2022, following the authority’s investigation of multiple data breaches that occurred in 2018).

Subject matter of the action

The subject matter of the current action involved two types of processing carried out by Facebook Ireland Limited. The first allowed minor users between the ages of 13 and 17 to have “business accounts” on the Instagram platform, and these accounts required and/or facilitated the publication of the minor user’s phone number and/or email address.

With the second type of processing, Facebook Ireland Limited managed the accounts of minor users by setting them as “public” by default, thus making public (i.e., disseminating) the social media content of minor users unless the user took action to change the default account setting to “private.”