Instagram is being investigated by Ireland’s Data Protection Commission due to concerns that the social network handled the data of children in a way that may have violated European data protection laws.
The investigation, which according to a statement issued by the DPC on Monday, was opened back in September, follows concerns that children may have had their email addresses and contact phone numbers made public by switching their accounts from personal accounts to business accounts.
Business accounts on Instagram give users access to more analytics, which can be useful if they’re trying to understand what content is performing well or trying to grow their accounts. But historically when converting a business account to a personal account, either the user’s phone number or email address was automatically accessible from their bio without being masked.
Anyone can convert their personal account to a business account — you don’t necessarily have to prove you’re a business to do so, and it’s a popular option with teens and other young users (children are supposed to be 13 to have an Instagram account, but many are able to set one up at a younger age).
David Stier, a US-based data scientist, last year said publicly that after analyzing the profiles of 200,000 Instagram accounts from across the world, he estimates 60 million people under the age of 18 were given the option of converting their Instagram accounts to business accounts. He reported the discovery to Instagram, but said the company had refused to start masking business contact details.
By allowing children’s contact details to be listed publicly, Instagram could be in violation of Europe’s strict General Data Protection Regulation, known as GDPR. If found to be in violation of GDPR, companies can face huge fines and be forced to change the way they handle data in order to continue operating within the EU.
The Irish DPC has become the lead regulator for fielding GDPR complaints made against the majority of Silicon Valley companies, due to these companies choosing to base their headquarters in Ireland. The DPC has active investigations open into Twitter, Google, Apple and Facebook, although because this latest investigation involves the privacy of children it could well be prioritized.
“The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination,” said the watchdog in a statement on Monday.
It added that it was conducting two separate inquiries into the matter. The first seeks to establish whether Facebook, Instagram’s parent company, employs adequate protections and or restrictions for processing children’s data, as well as whether it meets its obligations as a data controller with regard to transparency requirements in its provision of Instagram to children.
The second inquiry will focus on Instagram profile and account settings and the appropriateness of these settings for children. It will look to see whether Facebook adheres to the principal laid out in GDPR, which require data protection to be embedded in services by design and by default, with particular emphasis on protecting children who are considered vulnerable persons.
“We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed,” said a Facebook spokesperson in a statement. “That’s very different to exposing people’s information.”
They added that the company had made several updates to business accounts since the initial complaint was made, including allowing people to opt out of having their contact information displayed. “We’re in close contact with the IDPC and we’re cooperating with their inquiries,” they said.