David Stier, a US data scientist who first discovered the loophole, estimates that as many as 5 million children had personal details exposed when they switched from a personal to a business setting to receive statistics on how popular their photos and videos were. No proof is required that the user actually runs a company, meaning personal contact details such as phone numbers and email addresses were publicly displayed on their profile, allowing anybody to contact the children outside of the app.
In addition, until last year the information was also included in the underlying code when using Instagram on a web browser, allowing anyone to automatically “scrape” the contact details en masse, said the report. Although Instagram’s minimum age for an account is 13, the platform does not strictly verify ages, and more than 1 in 5 children between 8 and 12 in the UK use it, according to Ofcom.
The Irish watchdog launched its investigations in late September and will first of all look into whether the app has the necessary safeguards to securely process users' data, particularly in regard to child users. It will then examine whether Instagram is following the relevant data protection rules over its profile and account settings.
The DPC subsequently confirmed the launch of the two statutory inquiries, saying it had been “actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.”
Ireland is home to the European headquarters of several US technology firms, with the DPC currently the EU’s lead regulator under the “One Stop Shop” for General Data Protection Regulation introduced in 2018. Under that regime, regulators have the power to impose penalties of up to 4 percent of a company’s global revenue, equivalent to around EUR 5.7 billion in Facebook’s case.
