Instagram is being investigated by Ireland’s Data Protection Commissioner (DPC) over its handling of children’s personal data on the platform.
The social media app’s owner Facebook could face a large fine if Instagram is found to have broken privacy laws.
The investigations stem from complaints that Instagram made contact information on business accounts publicly visible to anyone accessing the app.
The BBC has approached Facebook for comment.
A number of US tech giants have their European headquarters in Ireland, and the DPC is the lead European Union regulator under the EU General Data Protection Regulation (GDPR), which came into force in 2018.
The DPC is responsible for protecting individuals’ right to online privacy and has the power to issue large fines.
The Irish regulator is investigating whether Facebook has a legal basis for processing children’s personal data and if it employs adequate protections and restrictions on Instagram for children.
Separately, it is also looking at whether Facebook has adhered with GDPR requirements in relation to Instagram’s profile and account settings. It is inquiring into whether Facebook is adequately protecting the data protection rights of children as vulnerable persons.
The minimum age for having an Instagram account is 13.
“Instagram is a social media platform which is used widely by children in Ireland and across Europe,” said Graham Doyle, a deputy commissioner with DPC.
“The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.”
In February 2019, data scientist David Stier analyzed profiles of almost 200,000 Instagram users across the world. He estimated that for over a year, at least 60 million users under the age of 18 were given the option to easily change their profiles into business accounts.
Instagram business accounts require users to display their phone numbers and email addresses publicly, meaning that personal data belonging to many users is visible to other Instagram users.
The same personal information was also contained in the HTML source code of web pages accessed when using Instagram on a computer, meaning that it could be “scraped” by hackers.
Mr. Stier reported his findings to Facebook, but he wrote in a Medium blog that Instagram had refused to mask the email addresses and phone numbers for business accounts.
However, Facebook did decide to remove the contact information from the source code of Instagram pages.
Despite this, Mr. Stier believes that hackers might have succeeded in stealing the personal information from Instagram’s website, after it was revealed in May 2019 that contact details relating to 49 million users were stored online in an unguarded database owned by a firm in India.
“Do we have a responsibility to keep kids’ phone numbers and emails hidden so that strangers can’t find them just by clicking a button?” wrote Mr. Stier.
“Speaking as a parent, I want to be assured that the experience Instagram offers to teens is as ‘adult-overseen’ as possible.”