Meta fined 405 million EUR for not handling teenagers’ data appropriately Summary Our remarks Instagram allowed teenagers aged between 13-17 • Meta’s financial gain from the infringement was to create business accounts whereby the children’s decisive for the outcome of the case and the size of contact information was publicly available by default. the fine. The case was brought before the European Data • The case is a reflection of Better Internet for Kids Protection Board as the Irish DPA, as lead supervisory strategy (BIK+). The European Better Internet authority, triggered the dispute resolution procedure for Kids strategy (BIK+) is an initiative focused concerning the objections raised by several concerned on creating a safer and more positive online supervisory authorities. The final decision was adopted experience for children and young people. It aims to by the Irish DPA. raise awareness about online risks, provide tools for protection, foster resilience in dealing with negative The question in the case was whether Meta had a experiences, and advocate for effective policies to legitimate interest in disclosing the personal data of ensure child safety online. The initiative has been the children, as they used this as the legal basis for adopted by several countries and international processing the personal data. organizations such as UNICEF. Binding decision from Irish DPA • A data controller should be aware of how The Irish DPA found that Meta did not have any valid information about the data subject is provided, basis for making their personal data publicly available. when they know they have young users. A good tip Therefore, Meta was fined 405 million EUR. here is to use age filters. Another way to encounter the challenges, for example, is that TikTok has Meta was also ordered to change the setup of business made a privacy policy for American children, that is accounts for children, so that children’s data was not written in a simpler language. Initiatives like this are made public by default. a good step towards complying with the obligation to inform when it comes to children. • The case reminds us that users may use services in unintended ways. Therefore, controllers should be aware of unexpected usage patterns and should test for them, before releasing new features in a system. • The case is at the time of writing under appeal. Published: 28-07-2022 Journal number: 2/2022 Tags: 01 Legal basis for processing and principles of processing 144