Instagram faces big EU privacy decision on kids’ data within weeks

A final decision on a complaint against Instagram’s handling of children’s data in the European Union is set to land within weeks, TechCrunch has learned, following the completion of a procedural mechanism to resolve regulatory disputes over how to enforce the bloc’s General Data Protection Regulation (GDPR).

The enquiry about Instagram’s handling of kids’ data was opened by the Irish Data Protection Commission (DPC), Meta’s lead data supervisor in the EU, back in September 2020.

We’re told a final decision could come as soon as the end of this month (August 2022) — with a hard deadline of the first week of September for the DPC to issue the decision.

The DPC’s deputy commissioner, Graham Doyle, confirmed the decision has passed through the GDPR’s Article 65 dispute resolution process.

“We got it back from the EDPB [European Data Protection Board] last week,” he told us, adding: “We’ll have a decision… either the end of the last week in August or the first week in September. It has to be concluded by the first week in September.”

Details of what exactly the bloc’s data protection regulators have (collectively) concluded — and penalties Instagram will face, assuming they have found it breached the GDPR — are not being made public yet. But the DPC’s enquiry was opened after complaints Instagram was leaking the contact information of minors by letting them set up business accounts on its platform which made their contact information public by default.

The GDPR bakes in a general expectation of privacy by design and default — and pays special attention when it comes to applying the standard to ensure the protection of children’s data.

For the Instagram complaint, the DPC opted to open a so-called own volition enquiry, rather than acting solely on a specific complaint  — although it says its enquiry commenced after information was provided to it by a third party, as well as in connection with processing it had identified itself.

The regulatory confirmed today that the scope of its enquiry covers the issue of the processing of children’s data for Instagram ‘business accounts’; and also a second element involving a user registration system the platform operated — which it found could lead to the accounts of child users being set to “public” by default, unless the user changed the account settings to set it to “private”.

Instagram CEO, Adam Mosseri, recently announced that he would be temporarily relocating to Europe (London) this year. It’s not clear whether regulatory concerns factored into that decision but he will certainly be closer to policymakers who are making the most running when it comes regulating tech giants and social media.

Last year, Meta announced it was ‘pausing’ development of a version of Instagram aimed at children under 13 after a major backlash over concerns about the platform’s mental health impact on teens.