Ireland’s Data Protection Commission has opened two investigations into Facebook and Instagram, both dealing with how the latter processes children’s data on its platform, it said in a statement on Monday. Broadly, the first inquiry will focus on Facebook’s legal bases for processing children’s personal data, and the second one will analyse Instagram’s profile and account settings, and how appropriate they are for protecting children’s privacy.

  • As part of the first enquiry, the regulator will assess whether Facebook has a legal basis for processing children’s personal data, and if Instagram has adequate protections for their data. This Inquiry will also consider whether Facebook meets its obligations as a data controller with regard to transparency requirements under Europe’s General Data Protection Regulation.
  • The second inquiry will explore Facebook’s adherence with the requirements in the GDPR in respect to Data Protection by Design and Default.

A researcher had found personal data of millions of kids using Instagram was accessible easily: The regulator’s investigation reportedly comes a year after complaints by US-based researcher over Instagram’s handling of children’s personal data, Telegraph first reported. In a blog post published on Medium last year, Stier revealed that he analysed nearly 200,000 Instagram users in multiple countries and found that for more than a year over 60 million children could change their personal accounts into an Instagram business account, which exposed their personal information such as phone number and email address. It should be noted that the Irish DPC’s statement doesn’t specify that its investigation is a direct result of Stier’s findings.

“Instagram is a social media platform which is used widely by children in Ireland and across Europe. The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination,” the regulator said in a statement.

Facebook calls the researcher’s findings ‘misconfigured’: In a statement to TechCrunch, Facebook said that it made it clear that a person’s contact information would be displayed publicly if they choose to change a personal account into a business account on Instagram, claiming that it’s “very different to exposing people’s information”. It also added that since Stier’s findings, it has made changes to this particular setting, and people can now choose whether to display their contact information publicly even if they have a business account.

Processing children’s data under the GDPR: GDPR requires that the processing of personal data of minors will only be lawful if the minor in question is at least 16 years old. For a child younger than 16 years of age, personal data can only be processed after obtaining consent from the child’s parents or guardians. Breaching provisions of the GDPR can result in fines of as much as 4% of the global annual turnover of a company.

Facebook sued over invasive Instagram camera: In September, Facebook was sued after it was found that Instagram can constantly access a smartphone’s camera while the app is open, and monitor users without seeking their consent. The lawsuit alleged that Instagram was doing this to gain valuable insight into how users interact with ads on the platform, in order to target ads and further increase its advertising revenue.

Also read: