Instagram under investigation over its handling of children’s personal data

Ireland’s DPC (Data Protection Commission) is investigating Instagram amid allegations that it failed to protect children’s personal data.

Reports claimed that the email addresses and phone numbers of those under 18 were left publicly available due to an oversight in the way users configure their account settings.

The Facebook-owned company, which is based in Ireland, has rejected the claims but is cooperating with the DPC.

What went wrong?

The complaint was brought to the DPC by David Stier, a US-based data scientist who analysed profiles of almost 200,000 Instagram users around the world.

He estimated that at least 60 million users under the age of 18 were given the option to change their profiles into business accounts, which would require users to display their phone numbers and email addresses publicly.

If the DPC confirms this, there are several potential GDPR (General Data Protection Regulation) violations.

For example, Instagram may not have had a legal basis to process children’s personal data in the way that it was ultimately used, and it may not have employed adequate measures to protect individuals’ privacy and mitigate the risk of data breaches.

The GDPR acknowledges that there are additional risks associated with children’s personal data, and therefore includes specific measures to address them.

These include restrictions on the age at which data subjects can lawfully give consent and rules on the way online services obtain children’s consent.

The DPC is investigating whether Instagram breached those requirements and how the data was made publicly available.

GDPR compliance support with GRCI Law

This story demonstrates how easy it is for small features to turn into major regulatory issues. Organisations will always have a tough task when dealing with children’s personal data, but these sorts of problems can occur in any part of your business.

If you’re concerned about whether you’re meeting your GDPR compliance requirements, our Privacy as a Service solution is ideal.

Our team of experienced lawyers, barristers, and information and cyber security experts will work with you to help you achieve regulatory success.

This includes help with compliance monitoring, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).

Receive unlimited GDPR legal advice without the usual law firm fees