Ireland’s Data Protection Commission (DPC) launched an investigation against Facebook’s Instagram for allegedly failing to protect children’s data on its platform. Facebook, the company that owns the social media app, could face heavy fines if found guilty of violating privacy laws.
The investigation began after reports emerged that Instagram failed in data protection and allowed the email addresses and contact numbers of children under the age of 18 to be made public.
Facebook says it denies the allegations, but also says it is cooperating with the data protection commissioner.
Role of DPC in data protection
European headquarters of many major US technology companies exist in Ireland. DPC as the EU’s first regulator is responsible for data protection under the EU’s General Data Protection Regulation (GDPR).
The DPC has a responsibility to protect individual privacy on the Internet and, in case of violation of data protection laws, empowered to impose heavy fines.
The Irish regulator is probing whether Facebook has a legal basis to process children’s personal data and whether there are restrictions on Instagram to ensure satisfactory protection for children.
In addition, the regulator is looking at Facebook’s compilation with GDPR in terms of Instagram profile and account settings.
DPC Deputy Commissioner Graham Doyle admits the significance of Instagram by stating that Instagram is used by children across Ireland and Europe.
The DPC actively reviews complaints from people and recently has raised concerns about the children’s data on Instagram, which is now under investigation.
Complaint against Investigation
According to reports, the investigation of Facebook’s Instagram began after a complaint by a data scientist, named David Stier, in the United States, when he reviewed the data of 200,000 Instagram users worldwide.
He estimates that about a year, approximately 60 million users, under the age of 18, have been allowed to change their profile into a business account.
It is mandatory for business account holders on Instagram to make their personal data visible by disclosing their phone numbers and email addresses.
The personal information was also included in the HTML source code of web pages that can be easily accessed by hackers when Instagram is operated on computers.
Stier shared the findings with Facebook and further wrote in a blog that Instagram had refused the secrecy of phone numbers and email addresses of business accounts. However, Facebook has decided the removal of such information from the source code of Instagram pages.
However, a Facebook spokesperson explained that Stier’s claim was based on a misunderstanding about the system.
“We’ve always been clear that when people create a business account on Instagram, the information they provide is public and that’s very different from disclosing people’s information,” he said.
“Ever since Stier made these allegations in 2019, we’ve made changes to our business accounts. Now it depends upon the will of the users whether they want to share their information or not.”
Stier also alleges that hackers may have hacked Instagram’s website and succeeded in stealing user’s personal information, after it was revealed in May 2019 that the information of 49 million users was in an Indian firm’s database without security.
Stier suggests that it is our responsibility to keep the children’s phone numbers and emails secret so that strangers can’t reach them with just one click. He further adds that as a parent I want to make sure whatever the experience teenagers have on Instagram it should be observed by the elders.