Instagram’s handling of kids’ data is now being probed in the EU

Facebook's lead data regulator in Europe has opened another two probes into its business empire — both focused on how the Instagram platform processes children's information.

The action by Ireland's Data Protection Commission (DPC), reported earlier by the Telegraph, comes more than a year after a US data scientist reported concerns to Instagram that its platform was leaking the contact information of minors. David Stier went on to publish details of his investigation last year — saying Instagram had failed to make changes to prevent minors' data being accessible.

He found that children who changed their Instagram account settings to a business account had their contact info (such as an email address and phone number) displayed unmasked via the platform — arguing that "millions" of children had had their contact information exposed as a result of how Instagram functions.

Facebook disputes Stier's characterization of the issue — saying it's always made it clear that contact info is displayed if people choose to switch to a business account on Instagram.

It also does now let people opt out of having their contact info displayed if they switch to a business account.

Nonetheless, its lead EU regulator has now said it's identified "potential concerns" relating to how Instagram processes children's data.

Per the Telegraph's report the regulator opened the dual inquiries late last month in response to claims the platform had put children at risk of grooming or hacking by revealing their contact details. 

The Irish DPC did not say that but did confirm two new statutory inquiries into Facebook's processing of children's data on the fully owned Instagram platform in a statement emailed to TechCrunch in which it notes the photo-sharing platform "is used widely by children in Ireland and across Europe".

"The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination," it writes.

The regulator's statement specifies that the first inquiry will examine the legal basis Facebook claims for processing children's data on the Instagram platform, and also whether or not there are adequate safeguards in place.

Europe's General Data Protection Regulation (GDPR) includes specific provisions related to the processing of children's information — with a hard cap set at age 13 for kids to be able to consent to their data being processed. The regulation also creates an expectation of baked in safeguards for kids' data.

"The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children's personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children," it says of the first inquiry, adding: "This Inquiry will also consider whether Facebook meets its obligations as a data controller with regard to transparency requirements in its provision of Instagram to children."

The DPC says the second inquiry will focus on the Instagram profile and account settings — looking at "the appropriateness of these settings for children".

"Amongst other matters, this Inquiry will explore Facebook's adherence with the requirements in the GDPR in respect to Data Protection by Design and Default and specifically in relation to Facebook's responsibility to protect the data protection rights of children as vulnerable persons," it adds.

In a statement responding to the regulator's action, a Facebook company spokesperson told us:

We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information. We've also made several updates to business accounts since the time of Mr. Stier's mischaracterisation in 2019, and people can now opt out of including their contact information entirely. We're in close contact with the IDPC and we're cooperating with their inquiries.

Breaches of the GDPR can attract sanctions of as much as 4% of the global annual turnover of a data controller — which, in the case of Facebook, means any future fine for violating the regulation could run to multi-billions of euros.

That said, Ireland's regulator now has around 25 open investigations related to multinational tech companies (aka cross-border GDPR cases) — a backlog that continues to attract criticism over the plodding progress of decisions. Which means the Instagram inquiries are joining the back of a very long queue.

Earlier this summer the DPC submitted its first draft decision on a cross-border GDPR case — related to a 2018 Twitter breach — sending it on to the other EU DPAs for review.

That step has led to a further delay, as the other EU regulators did not unanimously back the DPC's decision — triggering a dispute mechanisms set out in the GDPR.

In separate news, an investigation of Instagram influencers by the UK's Competition and Markets Authority found the platform is failing to protect consumers from being misled. The BBC reports that the platform will roll out new tools over the next year including a prompt for influencers to confirm whether they have received incentives to promote a product or service before they are able to publish a post, and new algorithms built to spot potential advertising content.