EU investigates Instagram over handling of children's data

Instagram is being investigated by Ireland's Data Protection Commissioner (DPC) over its handling of children's personal data on the platform.

The social media app's owner Facebook could face a large fine if Instagram is found to have broken privacy laws.

It comes amid reports Instagram failed to protect data, including allowing email addresses and phone numbers of those under 18 to be made public.

Facebook said it rejected the claims but was cooperating with the DPC.

A number of US tech giants have their European headquarters in Ireland, and the DPC is the lead European Union regulator under the EU General Data Protection Regulation (GDPR), which came into force in 2018.

The DPC is responsible for protecting individuals' right to online privacy, and has the power to issue large fines.

The Irish regulator is investigating whether Facebook has a legal basis for processing children's personal data and if it employs adequate protections and restrictions on Instagram for children.

Separately, it is also looking at whether Facebook has adhered with GDPR requirements in relation to Instagram's profile and account settings. It is inquiring into whether Facebook is adequately protecting the data protection rights of children as vulnerable people.

The minimum age for having an Instagram account is 13.

"Instagram is a social media platform which is used widely by children in Ireland and across Europe," said Graham Doyle, a deputy commissioner with DPC.

"The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination."

According to reports, the investigation stems from a complaint from David Stier, a US-based data scientist who last year analysed profiles of almost 200,000 Instagram users across the world.

He estimated that for over a year, at least 60 million users under the age of 18 were given the option to easily change their profiles into business accounts.

Instagram business accounts require users to display their phone numbers and email addresses publicly, meaning that personal data belonging to many users is visible to other Instagram users.

The same personal information was also contained in the HTML source code of web pages accessed when using Instagram on a computer, meaning that it could be "scraped" by hackers.

Mr Stier reported his findings to Facebook, but he wrote in a Medium blog, external that Instagram had refused to mask the email addresses and phone numbers for business accounts.

However, Facebook did decide to remove the contact information from the source code of Instagram pages.

However, on Monday a Facebook spokeswoman told the BBC that Mr Stier's claims were based on a misunderstanding of its systems.

"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information.

"We've also made several updates to business accounts since the time of Mr Stier's mischaracterisation in 2019, and people can now opt out of including their contact information entirely."

Mr Stier has also alleged that hackers might have succeeded in stealing personal information from Instagram's website, after it was revealed in May 2019 that contact details relating to 49 million users were stored online in an unguarded database owned by a firm in India.

"Do we have a responsibility to keep kids' phone numbers and emails hidden so that strangers can't find them just by clicking a button?" wrote Mr Stier.

"Speaking as a parent, I want to be assured that the experience Instagram offers to teens is as 'adult-overseen' as possible."