EU opens probe into Instagram over exposure of children’s data
The EU has launched an investigation into Instagram over its handling of children’s data following accusations the platform exposed the contact details of millions of under-18s.
The Irish Data Protection Commission (DPC) today said it was opening two probes into Facebook, which owns Instagram, over claims that users’ phone numbers and email addresses were made public.
The DPC, which leads EU data regulation, has the power to fine Facebook billions of dollars if it is found to have broken data privacy rules.
The potential breach, which was first discovered last year, related to a setting that allowed Instagram users to switch their personal accounts into business ones.
This enabled users to access statistics about how many people were viewing their photos or videos. But it also meant that their contact details were publicly displayed on their profile, allowing anyone to access them.
Instagram has a minimum age of 13 but does not have a strict age verification process, meaning the personal details of even younger children may have been exposed.
The DPC today said it is investigating whether Facebook has a legal basis on which to process children’s personal data and if it has appropriate protections in place.
It will also examine whether Instagram’s profile and account settings comply with GDPR requirements, which have specific rules for protecting the rights of children as vulnerable people.
The investigation stems from a complaint by US data scientist David Stier, who last year wrote a blog post outlining the apparent breach.
Stier, who estimated that 60m children may have been affected, reported his findings to Facebook.
A Facebook spokesperson branded Stier’s findings a “mischaracterisation” and said Instagram had made several updates to its business accounts settings, including allowing people to opt out of showing their contact details.
“We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That’s very different to exposing people’s information,” the spokesperson said.
The company said it was in close contact with the DPC and was cooperating with its inquiries.