Instagram is again targeted by the Irish Data Protection Commission (DPC) following complaints that the personal data of children and adolescents is not adequately protected. The Dublin-based supervisory authority announced on Monday that it had already initiated two proceedings against Facebook as the parent company of Instagram in September. It therefore checks whether the operator of the social network is following legal principles such as the General Data Protection Regulation (GDPR) when processing information from minors.

“Potential concerns” According to the DPC, based on the complaints it has received, the DPC has “potential concerns” that everything is not going well on Instagram in this area. In the first case, it is now examining in more detail whether Facebook in principle relies on suitable legal bases for handling sensitive data on Instagram.

At the same time, the DPC wants to investigate whether there are adequate protective measures or restrictions on the social network for children. The inspectors also want to examine whether Facebook is complying with transparency requirements when the group provides Instagram for children.

With the second case, the authority will, according to its plan, be on the profile and Focus on Instagram account settings and analyze whether they are appropriate for children. In this context, it will be checked whether Facebook is taking into account the requirements of the GDPR for “Privacy by Design and Default”, ie whether it is already integrating data protection into the technology and setting it as a default. It will also be a question of whether the Group is fulfilling its responsibility towards children as particularly vulnerable people in this area.

Contact details can be accessed According to reports, the investigation goes back to a complaint by US data scientist David Stier. Last year the expert analyzed profiles of almost 200. 000 Instagram users around the world. It assumes that for over a year at least 60 million users under 18 years had the opportunity to easily convert their profiles into business accounts. For these accounts, members must publicly display their phone numbers and email addresses. This means that they are at least directly visible to other Instagram users.

According to Stier, the same personal data was also contained in the HTML source code of websites when Instagram members accessed them via their computers. Hackers would have been able to access them comparatively easily using “scraping”. Stier also warned that attackers could have succeeded in stealing personal information from Instagram: in May 2019 it became known that the contact details of 49 Millions of users were stored online in an unguarded database owned by a company in India.

The researcher confronted Facebook with his results. Instagram has refused to disguise the email addresses and phone numbers for business accounts, he wrote afterwards. The contact information has at least disappeared from the source code of the Instagram pages.

Facebook contradicts A Facebook spokeswoman told the BBC that Taurus had misunderstood the policies and operation of the systems. Anyone who has a business account on Ins