- The EU is investigating whether Instagram broke data-privacy laws after it allegedly exposed the personal data of millions of children, the Telegraph reports.
- It follows a complaint from a US data scientist, who last year said that Instagram allowed underage users to publicly display their phone numbers and email addresses by switching to "business" accounts.
- Ireland's Data Protection Commission, the official European data regulator for Instagram owner Facebook, is launching two investigations following the formal complaint.
- Under Europe's strict data privacy laws, Instagram's parent company Facebook could face maximum fines equal to 4% of its annual revenue.
- Visit Business Insider's homepage for more stories.
The DPC launched the investigations last month after it received a complaint from US data scientist David Stier. Stier told the Telegraph he believes as many as 5 million users under the age of 18 had their personal contact details exposed.
"Instagram had enormous resources at their disposal, but this incident shows they had woefully low levels of empathy, safety awareness and care for their users," Stier said.DPC Deputy Commissioner Graham Doyle told the Telegraph that the commission "has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination."
In a statement sent to Business Insider, the DPC described the twin investigations into Facebook. The first will examining the legal framework Facebook uses to process children's data on Instagram."The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children's personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children," the Commission said in its statement.
The second investigation will specifically delve into Instagram's "profile and account settings," and whether they're appropriately set up to deal with child users.
The Telegraph reports that under EU data protection regulations, each investigation could result in a maximum fine of 4% of Facebook's annual revenue. Facebook's annual turnover for 2019 was $70.7 billion, meaning a maximum 4% fine would equal $2.8 billion.
Instagram loophole discovered in 2019Stier wrote in a Medium post in 2019 that he had found an Instagram loophole that allowed the personal data of underage users to be publicly exposed.
The loophole is linked to how Instagram allows users to switch between a regular account and a "business" account. To change over to having a business account, Instagram users must add either a phone number or an email address, which was then publicly accessible.
"Because there are seemingly no restrictions on who can change their personal profile to a business account, many kids have figured out that they can 'claim' to have a business so that they can add the contact buttons onto their own profile page," Stier wrote in 2019.
Instagram has since changed this process so business account holders have to opt-in to having their contact details publicly displayed.
"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information," an Instagram spokesperson told Business Insider.
"We're in close contact with the IDPC and we're cooperating with their inquiries," they added.
The personal data of some small business owners seeking help via the Small Business Administration's Economic Injury Disaster Loan program may have been exposed to other applicants.The official said that 4 million small business owners applied for $383 billion in aid via the EIDL program and emergency grants.
"I'm relieved that the IDPC has confirmed the seriousness of the issues that I and others have brought to their attention," Stier told Business Insider.
"However, Instagram continues to place children in harm's way and they have only made minor adjustments that affect new users and I have evidence that they've done nothing to anonymize the personal contact data for millions of kids who set up fake business accounts," he added.
A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. Facebook now plans to notify the 1.5 million users affected over the coming days and delete their contacts from the company's systems.