Ireland's Data Protection Commissioner (DPC) is conducting an investigation on Instagram over its handling of children's personal data.
Instagram owner Facebook may be slapped by DPC with a hefty fine if it discovered that the social media app broke privacy laws in its handling of children's data.
The probe was started following complaints that Instagram made contact information on business accounts publicly visible to anyone accessing the app.
In the European Union (EU), most of the US tech companies' headquarters are located in Ireland and under the EU General Data Protection Regulation (GDPR), the DPC is the lead regulator.
The DPC is concerned with the protection of individuals' right to online privacy, and has the authority to issue large fines.
Instagram investigation
Currently, the DPC is trying to determine whether Facebook has the legal right to process children's personal data and whether it implements enough protections and restrictions on Instagram for children.
Additionally, the regulator is also examining whether Facebook complied with GDPR requirements in relation to Instagram's profile and account settings. The DPC is investigating whether Facebook is sufficiently protecting the data protection rights of children as vulnerable persons.
Children at least 13 years old can create an account on Instagram.
DPC deputy commissioner Graham Doyle said: "Instagram is a social media platform which is used widely by children in Ireland and across Europe."
"The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination," Doyle added.
What were the complaints about?
In February 2019, data scientist David Stier conducted an analysis of roughly 200,000 Instagram users globally and found that for more than a year, approximately 60 million users under the age of 18 were given the option to easily change their profiles into business accounts.
On Instagram, business account users are required to display their phone numbers and email addresses publicly. This makes their personal data visible to other Instagram users.
Stier also discovered that the same personal information can be found in the HTML source code of web pages accessed when using Instagram on a computer, making them accessible to hackers.
While he reported his discovery to Facebook, Stier wrote in a Medium blog that Instagram did not want to hide the email addresses and phone numbers for business accounts. However, Facebook later decided to remove the contact information from the source code of Instagram pages.
The scientist believed that despite the later removal of personal data from the source code, hackers may have already stolen personal information from Instagram's website, after it was discovered in May 2019 that contact details of 49 million users were stored online in an unguarded database owned by a firm in India.
Stier said: "Do we have a responsibility to keep kids' phone numbers and emails hidden so that strangers can't find them just by clicking a button? Speaking as a parent, I want to be assured that the experience Instagram offers to teens is as 'adult-overseen' as possible."
In other news, Instagram announced that it will increase its efforts to catch influencers who not practice proper disclosure for paid posts.
The move by Instagram to be stricter on influencers who fail to disclose when they have been paid for their posts follows an investigation by UK watchdog the Competition and Markets Authority (CMA) showing that the social media platform was failing to protect consumers from being misled.
