Instagram's handling of children's data sparks EU investigation
Regulators are concerned that accounts can expose kids' personal contact info.
Europe’s head regulator over Facebook is investigating Instagram over how it protects kids’ personal information, according to the BBC (via TechCrunch). The probe came about after reports that Instagram offered business accounts to children as young as 13 years old, potentially exposing their email addresses and phone numbers. Facebook denies the claims, but could face a large fine if Instagram broke EU privacy laws.
Ireland’s Data Protection Commissioner (DPC) initiated the probe to see whether Facebook, via Instagram, has the legal right to process the personal data of children. It’s also checking to see if it used sufficient protection and restriction on the site for minors.
“Instagram is a social media platform which is used widely by children in Ireland and across Europe,” said DPC deputy commissioner Graham Doyle. “The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination.”
Instagram is a social media platform which is used widely by children in Ireland and across Europe. The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination.
Last year, data scientist David Stiers claimed that Instagram offered “millions” of minors the chance to switch their private Instagram accounts to business accounts in exchange for analytics tracking. However, such accounts required the owner to publicly display their email address and/or phone number in the app. On top of that, if the user accessed web pages while logged into Instagram, the information could be scraped from HTML code.
As a result, Stiers found that contact information for minors was displayed in plain site on their profile pages. Not only that, but someone had indeed scraped web pages and created a database for millions of business Instagram accounts with email addresses and/or phone numbers, including those of minors.
Facebook is cooperating with the DPC, but rejected the claims. “We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed,” a Facebook spokesperson told the BBC. “That's very different to exposing people's information.” The company added that it has made several updates to business accounts since Stiers’ report and now allows users to opt out of including their contact information. In addition, it no longer embeds contact info in the source code of Instagram pages.
On top of seeing if Facebook is adequately protecting kids’ privacy, the DPC also wants to know if it’s in compliance with Europe’s privacy regulations. “Amongst other matters, this inquiry will explore Facebook’s adherence with the requirements in the GDPR in respect to ‘data protection by design and default’ and specifically in relation to Facebook’s responsibility to protect the data protection rights of children as vulnerable persons,” the regulator wrote. If Facebook failed to comply, it could be subject to a fine as much as four percent of the company’s annual worldwide revenue.
