Ireland’s Data Protection Commission (DPC) recently imposed a €405 million fine on Instagram—a move that provides insight into how regulators intend to address breaches of privacy regulations. Regulators are getting serious and tough when it comes to citizens’ data—especially when those citizens are under the age of 18.
From the moment the General Data Protection Regulation (GDPR) came into force, regulators had the power to issue fines up to €10 million or 2% of a company’s global revenues. The preamble to the legislation made it clear the regulators hoped that it would not come to pass. But after four years, regulatory patience is running out—and fines will continue to rise if violations continue.
One estimate puts Instagram’s 2021 revenues at US$47.6 billion. The fine imposed is less than 1% of global revenues, but it could have been higher. GDPR fines are issued on a per-violation basis, so it’s possible that multiple fines can exceed the 2% threshold in aggregate.
In the case of Instagram, the citizens affected were children—and the GDPR specifically assigns special rights and protection to children. In the United Kingdom, children’s protections were further extended with the introduction of the Children’s Code in 2021.
In response to the fine, Instagram stated, “This inquiry focused on old settings that we updated over a year ago.” That might be true, but the regulator saw a violation. The fact that the issue is a year old isn’t significant from the regulator’s point of view—although clearly, it’s positive that Instagram has addressed the issues causing the violation.
There are many learning points for all companies that operate under the GDPR:
- Regulators will act to protect citizens’ data
- Children’s data is particularly sensitive
- Regulators are willing to show their teeth
- Repeat offenses will result in significant fines
- Addressing an issue after an investigation won’t protect the organization
- Fines will continue to rise
Firms’ IT and compliance functions need to adjust to the new regulatory compliance reality: They need to reassess privacy risk. The idea that a violation might cost 1% or 2% of revenues is also a reality. A violation can present an extensional risk to some companies.
Firms should also consider what portion of their data is personal or sensitive and how secure it is. They must not let data accumulate troubles for tomorrow—active data retention and data disposition are required.
Instagram was handed the second largest GDPR fine ever issued. Businesses need to understand that regulators are getting serious and tough. Waiting for the regulator to come to you isn’t a strategy. Executives need to be proactive about compliance to reduce financial and reputational risk and operational costs for their companies.
To learn how Proofpoint can help with different aspects of data privacy strategy, contact your Proofpoint sales representative or authorized Proofpoint reseller.