Ireland-led GDPR inquiry into Instagram’s use of kids’ data inches on

The DPC sent a draft decision to other EU data protection agencies on Friday regarding the investigation into the handling of children's data by the social media platform.

In October 2020, the DPC announced two statutory inquiries into how the social networking giant processes children's information following a number of complaints, and whether or not there are legal grounds for Facebook to claim that it processes children's data on the social networking site.

The second inquiry was going to look at the appropriateness of settings for children on the profile and account settings of the photo sharing website.

The DPC deputy commissioner confirmed in a statement that the regulator has handed the baton to other EU data protection authorities.

The inquiry was opened in September 2020. It was started in response to information provided to the DPC by a third party, and also in connection with issues identified by the DPC following examination of the Instagram user registration process. We submitted our draft decision to our colleagues last week. The process of sending draft decisions to other authorities is part of the process under the new EU law. This is the seventh DPC inquiry to reach the article 60 stage. Two other DPC inquiries into Facebook are currently at the article 60 stage.

The submission of a draft decision by a lead authority is a standard part of the regulatory process. The DPC draft decisions pertaining to big tech have allowed other DPAs to review the lead DPA's conclusions and submit objections if they disagree.

The only two final decisions to come out of Ireland on such cases so far were passed through this process and both received objections that led to increased penalties.

Ireland is likely to face similar opposition from other data supervisors. The conclusions of the DPC are being kept under wraps.

It could take over half a year before a final decision on the complaint is made, based on how long the process has taken to redo earlier DPC draft decisions.

The DPC submitted a draft decision in May 2020 and a final decision in December of the same year. The draft of the app was submitted in January of 2021, but it took until September for the fine to be agreed.

A final decision on the photo sharing site may not come before mid 2022.

The social network is facing high level pressure on home soil over its impact on vulnerable users like teens, following revelations by the Facebook whistle blower, who leaked thousands of internal documents to the media this fall, including research that appears to show the platform has a toxic impact.

In September, after a wave of negative press and critical backlash, it was announced that a version of its service for under 13s was being developed.

Adam Mosseri, the CEO of the photo sharing website, was called to give evidence to the US Senate as part of a series of hearings about online safety for children and teens. The platform just announced a slate of new safety features for young people, including its first parental tools.

Meta will be able to claim that the platform has moved on in how it handles children's data, even if the EU orders are out of date.

Ahead of a Congressional hearing, the photo sharing website announced plans for parental controls and other safety features.

DPC working with Meta was criticized.

The public notification of the draft submission for the photo-sharing service, which was made public on Friday, comes as the DPC is facing a backlash over its close working with Facebook and Meta: Aka, the tech giant that owns the photo-sharing service.

A document released Sunday by European privacy campaign group, noyb, details an intervention by the DPC that is clearly aligned with the interests of Facebook, as the regulator can be seen pushing for what noyb bills as a "consent bypass" to be written into the EDPB

It is clear that Facebook has sought to game compliance by changing the legal basis for processing users data for ad targeting, which is problematic since Facebook does not offer users a free choice over whether they accept behavioral ads or not.

Noyb has been challenging Facebook over this since May of last year.

The DPC has yet to make a decision on the complaint, but the regular is willing to accept the Facebook consent bypass.

Ireland's draft decision against Facebook was branded a joke.

The not-for-profit followed up that revelation by filing a charge of criminal corruption against the DPC last month, accusing the regulator of "procedural blackmail" and revealing it had written to noyb demanding it take down the draft decision. Noyb was pressured by the DPC to sign a non-disclosure order in relation to the ongoing procedure against Facebook if it did not agree to the blanket confidentiality demand.

There is no legal basis for the DPC to gag the oversight process. The regulator was asked to file a suit against it so that it could challenge any claim in court.

It has doubled down on its criticism of the DPC's attempts to enforce confidentiality by releasing more documents each Sunday before Christmas to shine more light on the inner function of the DPC.

The rebuttals from the regulator don't address the core legal points being raised by noyb.

The DPC has issued a new public statement denying that it bribed the European Data Protection Board to try to get it to adopt guidelines, and that it acted in bad faith when it held meetings with Facebook.

The statement admits to giving Facebook feedback between late 2017 and March of last year.

We asked the DPC for more information about the feedback it gave to Meta.

The DPC denied that it helped Facebook develop the GDPR consent bypass, writing: "[A]t no time in the course of its engagement with Facebook... did the DPC approve, co-developed, endorse, consent to, or negotiate." The DPC didn't suggest or intimate to Facebook that it was an appropriate lawful basis for its processing operations.

The DPC states in its statement that there were discussions on this matter, and that it did discuss the potential of Facebook relying on article 6(1)(b) to move consent into the T&Cs as a contract clause.
If the DPC gives more clarification on these discussions, we will update this report.

Facebook's privacy supervisor was hit with a corruption complaint.

The UK expects children's privacy design code to be in compliance.