Ireland’s Data Protection Commissioner is investigating Instagram over how the platform handles personal data of children. If the company has broken any privacy laws, Facebook, the parent company could be liable to pay a huge fine. Recently, reports highlighting Instagram’s inability to protect data gained traction online. According to the reports, Instagram allowed email addresses and phone numbers of minors, or those aged below 18, to become public.
Full story here: https://www.bbc.co.uk/
Fines issued must always represent and match the magnitude of a data breach, if organisations are going to learn from them. In the past, we have far too often seen minimal cash fines that do not equal the risk of compromising data ending up in the wrong hands. Investigations such as this reduce the threat to the people involved, along with their data – which, in turn, reduces knock-on cyberattacks. Social networks store masses of personal data, which must be treated with the respect it deserves. This is even more important when it comes to protecting children’s data, who make up a vast portion of Instagram’s users. Parents must try and curb the amount of private data their children post online, as many children do not understand the long term risks or how their data could be used in the wrong hands.
The most important piece of information that will be taken into account here is the trade-off. Children were offered additional analytics on their posts, provided they shared their contact details.
The corresponding side of the trade-off is the phone and email contact information becomes public, this public data has already been misused as we have seen from the breach in India from May 2019, so a question needs to be asked: should children have even been given the option to expose their details? In many cases, I’m sure they used correct business-specific contact channels, but naturally, the fear would be many did not. Facebook and Instagram need to crack down on this and make it more difficult for people to expose their data.
For obvious reasons, children’s data collection and protection have very specific handling in many jurisdictions and called out in GDPR very specifically. While a data protection regulator is no substitute for parenting and education to ensure children begin to understand how their data is eventually used, vendors have the utmost responsibility for compliance and transparency. In GDPR Article 8, the consent requirements, age limitations, and responsibilities are very clear, especially around consent. The fact that a data scientist has discovered trivial data exposure of what appears to be vulnerable minors in data collection applications is alarming if true. This is especially a concern given that it is also equally simple these days to de-identify, mask, or secure it and thus there are few excuses not to comply. In a world of attacks, data theft, and misuse, privacy and security has to be a first priority, especially the data of our next generation’s citizens.