The Irish Data Protection Commission (Irish DPC) received criticism of its own after fining Instagram a record 405 million euros (U.S. $405 million) earlier this month for General Data Protection Regulation (GDPR) violations involving the protection of underage users' data.
The regulator started looking into why child users' accounts had a default "public" rather than "private" setting and how users between the ages of 13 and 17 could create "business accounts" on the social media platform, which occasionally resulted in the public disclosure of their phone numbers and/or email addresses.
According to the binding ruling of the European Data Protection Board (EDPB), which was issued on September 15, discussions throughout the cross-border case were everything but easy.
The Irish DPC is often required to act as the main supervisory authority in any cross-border inquiry on behalf of other European data protection authorities since Meta, the company that owns Instagram, has its European headquarters there (DPAs).
DPAs can interpret the GDPR differently, hold different opinions on enforcement, and exhibit various tolerances for what constitutes an infringement, as demonstrated by previous cross-border instances. Additionally, they are concerned in making sure that certain grievances and damages peculiar to their own residents are effectively handled and not ignored. It was the same in this instance.
The Irish DPC's draft ruling was criticized by the DPAs of Germany, France, Finland, Italy, the Netherlands, and Norway for being too lenient. Their main worries were that Instagram's handling of children's personal data was "intentional" rather than "negligent," as some DPAs believed, and that the Irish DPC failed to recognize the full gravity of the situation. The Irish regulator's proposal to impose fines between €202 million and €405 million started from an unfairly low base.
The Irish DPC first disregarded their worries, claiming that they were neither "relevant" or "reasoned."
The EDPB's binding judgment, which was made in accordance with Article 65 of the GDPR after the Irish DPC was unable to reach an understanding with other DPAs, demonstrates how inaccurate the regulator's research and findings may have been.
The EDPB's ruling indicates that the Irish DPC should have examined the straightforward issues of whether it is appropriate for a company to process data without informed consent and/or make children's data publicly available under any circumstances rather than focusing too heavily on the finer points of interpreting the GDPR.
The Irish DPC's investigation was deemed too narrowly focused by the EDPB, who also implied that the regulator sided too readily with Meta without providing any justification.
The Irish DPC's judgment that processing children's data was occasionally essential was, in the opinion of the EDPB, "substantially erroneous" and "did not properly assess the impact of the processing." The regulator "failed to give proper weight to all the other relevant elements and the risks it had itself identified," the EDPB continued, adding that it "only took into account the positive consequences of the processing."
The EDPB said, "[A]lthough the public-by-default processing was examined by the [Irish DPC] in the draft decision, the question of compliance of the public-by-default processing with Article 6 GDPR was neither within the scope of the inquiry … nor it was addressed by the [Irish DPC] in the draft decision."
According to legal experts, the contrasts between the Irish DPC's strategy and the EDPB's legally binding ruling emphasize the challenges associated with enforcing and adhering to the GDPR.
According to Jowanna Conboye, technology and data protection partner at law firm Spencer West, "The fact the Irish DPC first reached different and more lenient conclusions in relation to Meta’s processing of children’s data should be a concern. That Instagram had designed its system to have children’s accounts as public by default and to allow children to have business accounts on the platform … has real and serious safeguarding consequences"
The ruling, according to Will Richmond-Coggan of the law firm Freeths, which specializes in data and privacy issues, underscores the fundamental challenges facing GDPR enforcement in terms of resources, legal interpretation, and uniformity in regulatory decisions. He recommended that the EDPB take the initiative in future enforcement.
"There is considerable uncertainty at a European level about how any individual complaint will be addressed," he added. "This is not helpful for the complainants, for the under-resourced authorities trying to police organizations significantly bigger than they are, or for organizations themselves looking to ensure they stay on the right side of the line in these technically complex areas."
The chief executive and co-founder of the global data consultancy Carruthers and Jackson, Caroline Carruthers, thinks that teaching businesses the morals of appropriate data usage and retention, as opposed to enforcing them with a "big stick," is the best course of action.
"We need to get back to basics and base data governance on ethical considerations rather than just trying to strictly follow the latest data regulations," she added.
By fLEXI tEAM