Did Instagram violate the GDPR by retaining users’ deleted data?

For more than two years, Instagram was keeping pictures and direct messages on its servers after users deleted them.

The researcher Saugat Pokharel discovered the error after sending the social media giant a request to access the information it stored on him.

After noticing that the file contained records he’d deleted from his account, he reported the error to Instagram through its bug bounty program.

The Facebook-owned site awarded Pokharel $6,000 (£4,500) for finding the bug and said the issue had now been resolved.

But should a GDPR (General Data Protection Regulation) fine also be on its way?

The right to erasure

Under the GDPR, individuals have the right to erasure – also known as the right to be forgotten.

It states that users are entitled to request that organisations permanently remove any information pertaining to them – not just from the user’s end but from the organisation’s systems and backups.

There are circumstances where organisations are permitted, or legally required, to retain some or all of a user’s information and can therefore reject a request.

This will be the case when the information is necessary:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation;
  • To perform a task carried out in the public interest or in the exercise of official authority;
  • For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • For the establishment, exercise or defence of legal claims.

The GDPR also states that the right to erasure doesn’t apply to sensitive information when the processing is necessary for public health purposes in the public interest or for preventive or occupational medicine.

Likewise, requests can be rejected if the organisation deems them manifestly unfounded or excessive.

It’s hard to justify any of these exemptions applying in this instance, so does that mean Instagram was violating the GDPR?

Maybe. It depends on whether you believe deleting information from your account equals a request to delete it from the organisation’s servers.

There’s certainly a logical connection – if you don’t want the data on your account, surely you want it removed permanently.

If that was the case, Instagram would be required to remove the information from its systems within 30 days.

However, Instagram will very likely argue that its terms of service outline how it will process users’ personal information; to use the site, users must consent to these practices.

Removing a photo from the account doesn’t mean the user has withdrawn their consent or exercised their right to erasure. As such, Instagram will undoubtedly state it has no legal obligation to remove the data.

That’s not to say a mistake hasn’t occurred, though. Instagram didn’t intend to keep the information for more than a year; the site says that it removes user-deleted information from its systems within about 90 days.

The vulnerability that Pokharel discovered meant that this wasn’t happening. That would eventually cause problems, because Instagram is legally required to remove information when it’s no longer necessary – although the timeframe surrounding this is much broader than the right to erasure.

Instagram’s response to the vulnerability being discovered suggests that it is confident that no violation has occurred. A spokesperson for the organisation confirmed the bug and its fix, and said that there had been “no evidence of abuse”.

“We thank the researcher for reporting this issue to us,” they added.

GDPR compliance support with GRCI Law

Are you unsure of your GDPR compliance obligations? If so, our Privacy as a Service solution might be ideal.

Our team of experienced lawyers, barristers, and information and cyber security experts will work with you to help you achieve regulatory success.

This includes help with compliance monitoring, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).

Get GDPR and data privacy legal expertise with our Privacy as a Service