Record GDPR fine of €405 million for Instagram
Following the European Data Protection Board (EDPB) binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine of €405 million.
The EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority (LSA) had triggered the dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decision following the dispute resolution process.
This is the first binding decision of the EDPB addressing one of the fundamental pillars of EU data protection law: the lawfulness of processing in accordance with Art. 6 GDPR. In particular, the EDPB provided further clarification on the applicability of the legal bases of ‘performance of contract’ and ‘legitimate interest’.
Meta IE relied on these two legal bases alternatively for the publication of email addresses and/or phone numbers of children who used Instagram business accounts. The EDPB found that there were no grounds for the LSA to conclude that the processing at stake was necessary for the performance of a contract. Consequently, Meta IE could not have relied on Art. 6(1)(b) GDPR as a legal basis for this processing.
As regards legitimate interest, as an alternative legal basis for the processing, the EDPB found that the publication of the email addresses and/or phone numbers of children did not meet the requirements under Art. 6(1)(f) GDPR, since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test required when determining legitimate interest.
The EDPB therefore concluded that Meta IE processed children’s personal data unlawfully without a legal basis and instructed the LSA to amend its draft decision in order to establish the infringement of Art. 6(1) GDPR.
Finally, the EDPB instructed the LSA to reassess its envisaged administrative fine in accordance with Art. 83(1) and 83(2) GDPR to:
- impose an effective, proportionate and dissuasive administrative fine for the additional infringement, taking into consideration the nature and gravity of the infringement, as well as the number of data subjects affected;
- ensure that the final amounts of the administrative fines are effective, proportionate and dissuasive.
This current decision is without any prejudice to any
assessments the EDPB may be called upon to make in other cases, including with
the same parties.
The final decision taken by the Irish DPA is available in the Register for Decisions taken by supervisory authorities and courts onissues handled in the consistency mechanism.
For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ
(edpd.europa.eu/ photo freepik.com)