Facebook’s lead European regulator investigates Instagram’s processing of children’s data

UPDATE 20/10/20: This article was updated to include a comment from Facebook.

Ireland’s Data Protection Commission (DPC) has launched two statutory inquiries into the processing of children’s data on Facebook-owned social media platform, Instagram.

In the first, the DPC will look at Facebook’s reliance on certain legal bases for processing children’s personal data on Instagram, whether Facebook has a legal basis for the ongoing processing of children’s personal data on Instagram, and if it employs adequate protections and /or restrictions on the Instagram platform for such children. It will also consider whether Facebook is adequately discharging its obligations as a data controller regarding transparency requirements over children using Instagram.

The second inquiry will investigate the appropriateness of Instagram profile and account settings for children, checking GDPR adherence regarding the data protection rights of children as vulnerable persons.

In statement, the DPC said: “The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination.”

It added: “In today’s digital world in which vast numbers of children are prevalently active on social media, it is vital that data controllers are compliant with their obligations under the GDPR and the Data Protection Act 2018 in relation to their processing of children’s personal data on their platforms. Instagram is a social media platform which is used widely by children in Ireland and across Europe.”

The inquiries, opened in September, reportedly stem from the claims of a US-based data scientist, David Stier, that children’s contact details were made available where they had switched to a business account to access analytics functions

A Facebook company spokesperson said: “We’ve always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That’s very different to exposing people’s information. We’ve also made several updates to business accounts since 2019, and people can now opt out of including their contact information entirely. We’re in close contact with the IDPC and we’re cooperating with their inquiries.”


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.