The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Why Instagram was fined

The publication of the EDPB’s binding decision on the settlement of the dispute that arose between the Irish authority  as lead authority (LSA) and a number of other concerned supervisory authorities (CSAs), together with the publication of the revised LSA decision issued in accordance with EDPB comments, provides an opportunity to return to the motivations behind the imposition of the second largest fine of all time for infringements of GDPR (€ 405 million against Instagram, now Meta IE).

Figure – Current major GDPR fines already imposed and fines imposed by the Irish authority on Meta group companies as of September 2022.

Beginning of the dispute

The dispute arose as a result of an ex officio investigation by the Irish Data Protection Commissioner, which began on September 21, 2021, regarding certain processing operations of Facebook Ireland Limited, later named Meta Platforms Ireland Limited (Meta IE). The investigation and subsequent measures concerned Meta IE’s processing of personal data in connection with the public disclosure of email addresses and/or phone numbers of minor users of Instagram’s business account function and a public setting, by default, for personal accounts of minor users on Instagram.

Subject of the dispute

In summary, over a period of time, Meta IE had been posting email addresses and/or phone numbers of minors (between 13 and 17 years old) who were users of the company’s Instagram account, without seeking their consent and automatically.

Role of the EDPB

The European Data Protection Board (EDPB)-composed by the representative of each national supervisory authority and the EDPS-is responsible for ensuring the consistent application of the regulation.

Cooperation procedure

The regulation requires the supervisory authorities, both the LSA and CSAs, to cooperate, working to reach consensus among themselves [Art. 60(1), GDPR]. Along these lines, when there is a “cross-border processing” [Art. 4(23), GDPR] that is deemed unlawful, the LSA It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views [Art. 60(3), GDPR]. The Irish LSA’s draft decision was adopted in June 2021, notified to Meta IE with an invitation for comments and, in December 2021, shared with the CSAs.

Consistency mechanism

If a CSA raises a relevant and reasoned objection highlighting the relevance of risks with regard to a draft decision of the LSA [Articles 4, 24) and 60(4), GDPR], if the LSA does not agree with these objections, it shall submit the matter to the consistency mechanism.

In the Instagram dispute, the supervisory authorities of Germany, Finland, France, Italy, the Netherlands, and Norway filed relevant and reasoned objections to the draft decision adopted by the Irish LSA. On the concepts of “relevant and reasoned,” the EDPB adopted Guidelines 9/2020 [version 2 of March 9, 2021].

Relevant Objection according to the EDPB  “in order for the objection to be considered asrelevant”, there must be a direct connection between the objection and the substance of the draft decision at issue.8 More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. [EDPB Guidelines 9/2020 cit., para. 12].

Reasoned Objection always according to EDPB guidelines it is necessary that the objection includes clarifications and arguments as to why an amendment of the decision is proposed (i.e. the legal / factual mistakes of the LSA’s draft decision). It also needs to demonstrate how the change would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR.” [EDPB Guidelines 9/2020 cit., para. 16].