In fining Instagram a record 405 million euros (U.S. $405 million) earlier this month for General Data Protection Regulation (GDPR) violations regarding the safeguarding of teenage users’ data, the Irish Data Protection Commission (Irish DPC) took some heat of its own.

The regulator began its investigation in 2020 into the way users between the ages of 13 and 17 could open “business accounts” on the social media platform, which led to their phone numbers and/or email addresses being published widely in certain cases, and why child users’ accounts had a default “public” rather than “private” setting.

Judging from the European Data Protection Board’s (EDPB) binding decision, released Sept. 15, deliberations during the cross-border case were far from smooth.

Since Meta, the company that owns Instagram, has its European headquarters in Ireland, it is normally incumbent upon the Irish DPC to act as lead supervisory authority in any cross-border investigation on behalf of other European data protection authorities (DPAs).

Previous cross-border cases have shown DPAs can interpret the GDPR differently, have varying views about enforcement, and display different tolerances about what constitutes a violation. They are also keen to ensure specific complaints and harms pertinent to their own citizens are adequately addressed and not overlooked. This case was no different.

The German, French, Finnish, Italian, Dutch, and Norwegian DPAs all raised objections to the Irish DPC’s draft decision for being too soft. Their main concerns were the Irish regulator’s proposal to issue fines between €202 million to €405 million started from too low a base and that the Irish DPC failed to recognize the full seriousness of Instagram’s mishandling of children’s personal data, which some DPAs thought was “intentional” rather than “negligent.”

“That Instagram had designed its system to have children’s accounts as public by default and to allow children to have business accounts on the platform … has real and serious safeguarding consequences.”

Jowanna Conboye, Technology and Data Protection Partner, Spencer West

The Irish DPC initially rejected their concerns as not being “relevant” or “reasoned.”

The EDPB’s binding decision—a step taken under Article 65 of the GDPR when the Irish DPC could not gain consensus with other DPAs—shows how off the mark the regulator’s investigation and conclusions might have been.

The EDPB’s decision suggests the Irish DPC focused too heavily on the nitty-gritty of interpreting the GDPR, rather than examining the simple questions of whether it is right for a company to process data without informed consent and/or make children’s data publicly available under any circumstances.

The EDPB said the scope of the Irish DPC’s inquiry was too limited and inferred the regulator sided with Meta too easily without explaining why.

In its opinion, the EDPB said the Irish DPC’s belief that processing children’s data was sometimes necessary was “substantially erroneous” and “did not properly assess the impact of the processing.” The EDPB added the regulator “only took into account the positive consequences of the processing, whereas it failed to give proper weight to all the other relevant elements and the risks it had itself identified.”

Further, said the EDPB, “[A]lthough the public-by-default processing was examined by the [Irish DPC] in the draft decision, the question of compliance of the public-by-default processing with Article 6 GDPR was neither within the scope of the inquiry … nor it was addressed by the [Irish DPC] in the draft decision.”

Legal experts believe the differences highlighted between the Irish DPC’s approach and the EDPB’s binding decision show the difficulties in trying to enforce and comply with the GDPR.

“The fact the Irish DPC first reached different and more lenient conclusions in relation to Meta’s processing of children’s data should be a concern,” said Jowanna Conboye, technology and data protection partner at law firm Spencer West. “That Instagram had designed its system to have children’s accounts as public by default and to allow children to have business accounts on the platform … has real and serious safeguarding consequences.”

Will Richmond-Coggan, data and privacy disputes specialist at law firm Freeths, said the decision highlights the main problems with GDPR enforcement in terms of resourcing, legal interpretation, and consistency in regulatory decisions. He suggested the EDPB take more of a lead in future enforcement.

“There is considerable uncertainty at a European level about how any individual complaint will be addressed,” he said. “This is not helpful for the complainants, for the under-resourced authorities trying to police organizations significantly bigger than they are, or for organizations themselves looking to ensure they stay on the right side of the line in these technically complex areas.”

Caroline Carruthers, chief executive and co-founder of global data consultancy Carruthers and Jackson, believes educating companies about the ethics of legitimate data use and retention, rather than “big stick” enforcement, is the most sensible way forward.

“We need to get back to basics and base data governance on ethical considerations rather than just trying to strictly follow the latest data regulations,” she said.