- The EU is investigating whether Instagram broke data-privacy laws after it allegedly exposed the personal data of millions of children, the Telegraph reports.
- It follows a complaint from a US data scientist, who last year said that Instagram allowed underage users to publicly display their phone numbers and email addresses by switching to “business” accounts.
- Ireland’s Data Protection Commission, the official European data regulator for Instagram owner Facebook, is launching two investigations following the formal complaint.
- Under Europe’s strict data privacy laws, Instagram’s parent company Facebook could face maximum fines equal to 4% of its annual revenue.
- Visit Business Insider’s homepage for more stories.
The EU is leading two active investigations into whether Instagram illegally exposed the personal details of millions of underage users, the Telegraph reported Monday.
The investigations are being carried out by Ireland’s Data Protection Commission (DPC), the official data regulator for Instagram’s parent company Facebook in Europe. Facebook’s European headquarters are in Dublin.
The DPC launched the investigations last month after it received a complaint from US data scientist David Stier. Stier told the Telegraph he believes as many as 5 million users under the age of 18 had their personal contact details exposed.
“Instagram had enormous resources at their disposal, but this incident shows they had woefully low levels of empathy, safety awareness and care for their users,” Stier said.
DPC Deputy Commissioner Graham Doyle told the Telegraph that the commission “has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.”
The first of the DPC’s investigations will focus on whether Instagram promotes user privacy, especially for child users. The second will focus specifically on whether it’s appropriate for its business accounts feature to display the contact details of underage users.
The Telegraph reports that under EU data protection regulations, each investigation could result in a maximum fine of 4% of Facebook’s annual revenue. Facebook’s annual turnover for 2019 was $70.7 billion, meaning a maximum 4% fine would equal $2.8 billion.
Instagram loophole discovered in 2019
Stier wrote in a Medium post in 2019 that he had found an Instagram loophole that allowed the personal data of underage users to be publicly exposed.
The loophole is linked to how Instagram allows users to switch between a regular account and a “business” account. To change over to having a business account, Instagram users must add either a phone number or an email address, which was then publicly accessible.
“Because there are seemingly no restrictions on who can change their personal profile to a business account, many kids have figured out that they can ‘claim’ to have a business so that they can add the contact buttons onto their own profile page,” Stier wrote in 2019.
Instagram has since changed this process so business account holders have to opt-in to having their contact details publicly displayed.
“We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That’s very different to exposing people’s information,” an Instagram spokesperson told Business Insider.
“We’re in close contact with the IDPC and we’re cooperating with their inquiries,” they added.
Powered by WPeMatico