EU investigates Instagram over failure to protect children’s personal data
Online safety is a significant concern for EU citizens. In a study, over 30% said they were worried about their data being misused by companies, governments, or cyber criminals.
Now, in a new report, the safety of children and young people has come under the spotlight. An EU-based regulator is now investigating Instagram over the handing of children’s personal data.
A news report from the BBC has drawn attention to an investigation currently being carried out by the Data Protection Commissioner (DPC), which is based in Ireland.
The DPC is looking into Instagram and how it protects the personal information of children. In particular, it is investigating the effectiveness of the current restrictions in place and whether they comply in EU or international privacy laws.
If these are found to be inadequate, Facebook, which owns Instagram, could be liable for a large fine, which may be up to 4% of its annual worldwide revenue.
What are the concerns?
The investigation was launched after a complaint from data scientist David Stier in 2019. He accuses Instagram of offering business accounts to children aged 13 and over, as well as allowing email addresses and phone numbers of minors can be publicly displayed.
In his analysis, he shows that Instagram is offering “millions” of under-18’s the option to switch to a business account, giving them the chance to collect information for analytical purposes.
In his blog post, he points out that this information can also be found in the HTML source code of web pages, and this means that it could be scraped by hackers.
He also accuses Instagram of ignoring privacy laws, as it doesn’t hide the email addresses and phone numbers of children. This, he says, “runs counter to the practice of nearly every website and app today.”
What will happen next?
Facebook says it will comply and cooperate with the investigations, but it denies the accusations. A spokesperson said that Facebook’s systems protect children’s data and there is an opt-out available, as required.
They added, “We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That’s very different to exposing people’s information.”
“We’ve also made several updates to business accounts since the time of Mr Stier’s mischaracterisation in 2019, and people can now opt out of including their contact information entirely.”
However, DPC deputy commissioner Graham Doyle said, “Instagram is a social media platform which is used widely by children in Ireland and across Europe.”
“The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.”