Ireland-led GDPR inquiry into Instagram’s use of kids’ data inches on

Ireland’s embattled data protection regulator, the DPC, has announced the submission of a draft decision sent to other EU DPAs Friday in relation to a General Data Protection Regulation (GDPR) investigation into Instagram’s handling of children’s data that was opened over a year ago.

The DPC announced two statutory inquiries into Instagram, back in October 2020, looking at how the social networking giant processes children’s information following a number of complaints — including one inquiry it said would examine the legal basis Facebook claims for processing children’s data on Instagram, and whether or not there are “adequate safeguards” in place.

The second inquiry was slated to examine Instagram’s profile and account settings — looking at the “appropriateness” of settings for children — for whom the GDPR sets a very high standard of data protection on key principles like “Data Protection by Design and Default”.

In a statement today, the DPC deputy commissioner, Graham Doyle, confirmed the regulator has handed the baton to other EU data protection authorities (DPAs) to weigh in, writing:

As the Lead Supervisory Authority for Facebook/Instagram, we opened this inquiry in September 2020. It was commenced in response to information provided to the DPC by a third party, and also in connection with issues identified by the DPC following examination of the Instagram user registration process. We last week submitted our draft decision to our colleagues for their views on it. This is part of the process under Article 60 of the GDPR, where we send draft decisions to other Concerned Supervisory Authorities and they have one month to send us their ‘reasoned and relevant objections’. This is the seventh DPC inquiry to have reached the Article 60 stage under the GDPR. In addition to this Instagram inquiry, two other DPC inquiries into Facebook are currently at the Article 60 stage.

The submission of a draft decision by a lead supervisory authority is a standard part of the regulatory process for cross-border GDPR cases. It allows other DPAs to review the lead DPA’s conclusions and submit objections if they disagree — as has happened with all other such DPC draft GDPR decisions pertaining to big tech.

The only two final decisions to come out of Ireland on such cases so far — on Twitter and WhatsApp — passed through this Article 60 review process and both received objections that led to increased penalties (substantially increased in WhatsApp’s case) versus the lower ball suggestion of the DPC.

It is likely that Ireland’s draft decision on Instagram will face similar pushback from other data supervisors across the bloc. Although the DPC is keeping its conclusions under wraps.

In terms of time frame, it could take more than half a year before a final decision on the Instagram complaint is settled — judging by how long the process has taken to rework earlier DPC draft decisions.

In the Twitter case, the DPC submitted a draft decision in May 2020, and a final decision was issued in December of the same year. While the WhatsApp draft was submitted in January 2021 — but took until September for the $267 million fine for WhatsApp to be agreed.

So a final decision on Instagram may not arrive before mid 2022.

In the meanwhile the social network is facing high-level pressure on home soil over its impact on vulnerable users like teens, following revelations by the Facebook whistleblower, Frances Haugen, who leaked thousands of internal documents to the media this fall — including research that appears to show the platform has a toxic impact on teenage girls’ body image.

And in September, amid a wave of negative press and critical backlash, Instagram announced it was “pausing” development on a version of its service planned for under 13s.

This week, Instagram chief, Adam Mosseri has been called to give evidence to the U.S. Senate — as part of a series of hearings about online safety for children and teens. And ahead of that hearing the platform just announced a slate of new safety features for “young people” — including its first parental tools (due early next year).

So whatever GDPR decision eventually emerges from the Ireland-led Instagram probes, Meta will be able to claim the platform has moved on in how it handles children’s data — and that any enforcement the EU orders is already out of date.

Criticism of DPC’s close working with Meta

The timing of the DPC’s public notification of the Instagram draft submission comes as the regulator is facing a firestorm of fresh criticism over its close working with Facebook/Meta: aka, the tech giant that owns Instagram and over whose data-mining empire the DPC holds (on paper) a lead supervisory role, thanks to the GDPR’s (forum shopping-friendly) one-stop shop (OSS) mechanism.

A document released Sunday by European privacy campaign group noyb details an intervention by the DPC that’s clearly aligned with the interests of Facebook, as the regulator can be seen pushing for what noyb bills as a “consent bypass” to be written into EDPB’s GDPR guidelines.

Clearly aligned because Facebook has indeed sought to game GDPR compliance by switching from a consent-based legal basis for processing users’ data for ad targeting (which is legally problematic since Facebook does not offer users a free choice over whether they accept behavioral ads or not; indeed, there is no choice unless you stop using Facebook entirely; yet for consent to be legal under GDPR it must be specific, informed and freely given… ) — to, as the regulation came into application in 2018, the aforementioned consent bypass whereby it shifted to a claim that users of its services are actually in a contractual agreement with it to receive targeted ads… Which would be quite the personal data heist to pull off — were that switcheroo to be accepted by European data protection regulators.

Indeed, noyb has been challenging Facebook over this “forced consent” since May 2018 — when it filed its first GDPR complaints.

The DPC has yet to decide on the complaint but the regulator is minded to accept Facebook’s GDPR consent bypass — per a draft decision which was published by noyb this October.

The not-for-profit followed up that revelation by filing a charge of criminal corruption against the DPC last month — accusing the regulator of “procedural blackmail” and revealing it had written to noyb demanding it take down the draft decision. The DPC also pressured noyb to sign a non-disclosure order in relation to the ongoing procedure against Facebook — and the regulator’s correspondence implied it would exclude noyb as a party to the ongoing GDPR process if it did not agree to the blanket confidentiality demand.

Noyb argues there is no legal basis for the DPC to gag the oversight process in this way. (Indeed, it’s literally asked the regulator to file a suit against it so that it can challenge any such claim in court.)

It has doubled down on criticism of the DPC’s attempts to enforce confidentiality by releasing further documents each Sunday before Christmas — to shine more light on the inner function (and, critics would say, dysfunction) of the DPC.

The regulator has hit back with lengthy rebuttals that, nonetheless, don’t address the core legal points being raised by noyb (e.g. see the updates to this report).

Today the DPC has issued a new public statement — in which it denies acting in “bad faith on foot of meetings it held with Facebook as part of its regulatory role”; denies it “lobbied” the European Data Protection Board (EDPB) to try to get it to adopt guidelines that would have been “in the best interests” of Facebook; and further claims: “[noyb’s] allegations are utterly untrue.”

Its statement does, however, admit to providing Facebook — between late 2017 and March 2018 — with what the regulator characterizes as “high level feedback” vis-à-vis Facebook’s “GDPR preparation programme”.

We’ve asked the DPC for more details about the feedback it provided to Meta/Facebook during this period.

The DPC’s statement goes on to deny that it helped Facebook develop the GDPR consent bypass, with the regulator writing: “[A]t no time in the course of its engagement with Facebook… did the DPC approve, jointly develop, endorse, consent to, or negotiate on the processing operations of Facebook. Neither it must be emphasised did the DPC at any time suggest or intimate to Facebook that Article 6(1)(b) [“processing is necessary for the performance of a contract”] was an appropriate lawful basis on which to base its processing operations.”

However the DPC’s statement appears to confirm it did discuss the potential of Facebook relying on Article 6(1)(b) — aka moving consent into the T&Cs as a contract clause — as a strategy for GDPR compliance, as the regulator specifies that “there were discussions on this matter… only insofar as to probe Facebook on its considerations concerning Article 6(1)(b) and to seek substantiation of its legal reasoning”.  

We’ll update this report if the DPC sends additional clarification on these discussions.