Facebook Under Scrutiny Over Handling of Children’s Data on Instagram

What Happened: Graham Doyle, Deputy Commissioner of the Data Protection Commission (DPC) - the main privacy regulator in the European Union - told Reuters that "potential concerns" were identified in how the Mark Zuckerberg-led company processes children's personal data on Instagram.

However, switching to a business account would also mean the user's personal contact details were publicly displayed on their profile, allowing anybody to contact the children outside of the app.

The BBC has approached Facebook for comment.

Ireland hosts the European headquarters of a number of US technology firms, making the DPC the EU's lead regulator under the bloc's General Data Protection Regulation's "One Stop Shop" regime introduced in 2018.

"Amongst other matters, this Inquiry will explore Facebook's adherence with the requirements in the GDPR in respect to Data Protection by Design and Default and specifically in relation to Facebook's responsibility to protect the data protection rights of children as vulnerable persons", it adds. The first inquiry reportedly looks into the legal basis for Facebook to process such data and whether the social media giant employs adequate protections and restrictions to ensure the security and privacy of the data.

Europe's General Data Protection Regulation (GDPR) includes specific provisions related to the processing of children's information - with a hard cap set at age 13 for kids to be able to consent to their data being processed.

In February 2019, data scientist David Stier analysed profiles of nearly 200,000 Instagram users across the world.

Facebook Under Scrutiny Over Handling of Children’s Data on Instagram

Until recently, Instagram required all business accounts to show a phone number or email address, so users could not opt out of having their public information displayed.

Facebook did not immediately respond when contacted by Reuters on Sunday.

The same personal information was also contained in the HTML source code of web pages accessed when using Instagram on a computer, meaning that it could be "scraped" by hackers.

Mr Stier reported his findings to Facebook, but he wrote in a Medium blog that Instagram had refused to mask the email addresses and phone numbers for business accounts.

The DPC opened the dual investigations last month in response to claims that the Facebook-owned app had put children at risk of grooming or hacking by revealing their contact details.

"Speaking as a parent, I want to be assured that the experience Instagram offers to teens is as "adult-overseen" as possible".