Ireland’s Data Protection Commission has launched two inquiries into how Instagram handles children’s data.
Two inquiries were launched last month by the Irish Data Protection Commissioner (DPC) over claims Instagram made personal details of account holders under the age of 18 public. The Telegraph reported that the DPC responded over fears that such a breach may put children at risk of online grooming or targeted cyberattacks.
Under Instagram’s rules, account holders need to be 13 years or older, however a survey by Ofcom in the UK in 2017 showed there are a significant number of users younger than that. Last year, Facebook-owned Instagram began verifying user ages upon creation of an account to “help keep young people safer”.
The DPC concerns reportedly relate to users under the age of 18 who have changed their personal account into a business account in order to gain access to platform analytics that show them how many people have viewed their posts.
Until recently, Instagram required business users to display their contact details on their profile, such as a phone number or email address. It has since allowed anyone to set up a business account without providing proof that they are running a business.
In 2019, US data scientist David Stier estimated that as many as 5m children could be left exposed due to the issue. Furthermore, up until last year, it was possible to ‘scrape’ this contact information from Instagram on a web browser for large-scale data collection.
Focus of investigations
In a statement today (19 October), the DPC confirmed that it is opening two inquiries. The first aims to establish whether Facebook has a legal basis for the ongoing processing of children’s personal data and if it employs adequate protections and restrictions on Instagram for children.
The second inquiry will look at Instagram’s business accounts feature and the appropriateness of profile and account settings for children. It will also explore Facebook’s adherence to GDPR and its responsibility to protect the data protection rights of children as vulnerable persons.
“The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination,” it said.
Stier also commented on the investigation to the Telegraph. He said that despite having considerable resources, the incident shows Instagram has “woefully low levels of empathy, safety awareness and care for their users”.
In a statement, Instagram said that it no longer asks business account holders to reveal their contact details publicly. “We’re in close contact with the Irish DPC and we’re cooperating with their inquiries,” it said.
Under current European data protection laws, Facebook could be fined up to 4pc of its annual revenue for each of the two investigations if it is found to have breached privacy regulations.