Facebooks The leading data regulator in Europe has opened two more probes for its business empire. Both have focused on how the Instagram platform processes children's information.
The action by the Irish Data Protection Commission (DPC), previously reported by the Telegraph, comes more than a year after a US data scientist reported Instagram concerns that underage contact information was being lost on its platform. David Stier released details of his investigation last year. Instagram did not make any changes to prevent access to the data of minors.
He found that children who changed their Instagram In the account settings of a business account, the contact information (e.g. an email address and a phone number) was revealed via the platform. "Millions" of children had disclosed their contact information because of how Instagram worked.
Facebook denies Taurus' characterization of the problem. It has always been made clear that contact information will be displayed when people switch to a business account on Instagram.
Additionally, users can now turn off their contact information when they switch to a business account.
Still, the leading EU regulator has now said it has identified "potential concerns" about Instagram's processing of children's data.
Per tIn the Telegraph's report, the regulator opened the double investigation late last month in response to allegations that the platform exposed children to the risk of grooming or hacking by disclosing their contact details.
The Irish DPC did not say so, but confirmed two new legal investigations into the processing of child data by Facebook on the 100% Instagram platform in a statement emailed to TechCrunch stating that the photo-sharing platform is "By children in Ireland and Ireland is widespread across Europe".
"The DPA has been actively monitoring people's complaints in this area and has identified potential concerns about the processing of children's personal data on Instagram that need further investigation," she writes.
The regulatory authority's declaration stipulates that the first investigation will examine the legal basis that Facebook claims for processing children's data on the Instagram platform and whether or not appropriate security precautions have been taken.
The European General Data Protection Regulation (GDPR) contains specific provisions for the processing of children's information – with an upper limit set at the age of 13 for children to consent to their data being processed. The regulation also creates the expectation that safeguards will be put in place for children's data.
"The DPC will find out whether Facebook has a legal basis for ongoing processing of children's personal data and whether it is applying appropriate safeguards and / or restrictions on the Instagram platform for such children," the first investigation said, adding: " This investigation will also check whether Facebook is fulfilling its obligations as a data controller with regard to transparency requirements in the provision of Instagram for children. "
The DPC says the second request will focus on the Instagram profile and account settings – taking into account the "appropriateness of these settings for children".
"Among other things, this investigation examines whether Facebook complies with the requirements of the GDPR on Data Protection by Design and Default and in particular on Facebook's responsibility to protect the privacy rights of children as vulnerable, ”it adds.
In a statement in response to the regulator's actions, a Facebook company spokesperson told us:
It was always clear to us that the contact information they shared would be publicly displayed when users set up a business account on Instagram. This is very different from disclosing information. Since Mr. Stier's incorrect characterization in 2019, we have also made several updates to business accounts. Users can now refuse to provide full contact information. We are in close contact with the IDPC and work together on their inquiries.
Violations of the GDPR can result in sanctions of up to 4% of the worldwide annual turnover of a data controller. In the case of Facebook, this means that a future fine for violating the regulation can amount to several billion euros.
The Irish regulator currently has around 25 open investigations into multinational tech companies (aka cross-border GDPR cases) – a backlog that continues to generate criticism of the slow progress in making decisions. This means that the Instagram requests are in a very long queue.
Earlier this summer, the DPA presented its first draft decision on a cross-border GDPR case – related to a 2018 Twitter violation – and forwarded it to the other EU data protection authorities for review.
This move has added another delay as the other EU regulators did not unanimously support the DPC's decision and triggered a dispute mechanism set out in the GDPR.
In separate news, an investigation by the UK's Competition and Markets Authority into Instagram influencers found that the platform does not protect consumers from being misled. The BBC reports that the platform will roll out new tools over the next year, including a request for influencers to confirm whether they have received incentives to promote a product or service before they can post a post, as well as new algorithms, to identify potential advertising content.