On Tuesday, a privacy expert emphasized the crucial role that regulation plays in protecting the personal information of children, as they lack awareness of the potential risks associated with their online activities, leaving them especially vulnerable to exploitation.
In an online interview, Graham Doyle, Deputy Commissioner and Head of Corporate Affairs, People & Learning, Media and Communications at the Irish Data Protection Commission (DPC), discussed four significant decisions made by the organization since its inception in 2018. To date, the DPC has concluded 51 decisions after thorough investigations.
Among the four cases discussed in the interview, the deputy commissioner noted two decisions related to children’s personal information on the social media platforms Instagram and TikTok. In September 2022, following a two-year investigation, the Irish privacy watchdog imposed a fine of €405 million ($440 million) on Meta Platforms’ Irish arm, the parent company of Instagram. Their findings revealed that children’s private information, such as email addresses and phone numbers, was exposed publicly online to users of Instagram business accounts.
In September 2023, TikTok faced a €345 million (around $370 million) fine for violating the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018. The DPC examined the company’s handling of children’s information between July and December 2020 and concluded that the platform’s default public profile settings posed a potential risk to underage users, who often lack the savvy—due to their youth and inexperience—to understand the implications of their online presence.
“Under the GDPR, children are held up and singled out for the very first time as being a particular category of persons who warrant special protection. Up until 2018, there was no mention of children specifically as meriting special protection under the law,” explained Doyle.
Both social media companies have chosen to pursue legal challenges against the Irish privacy watchdog’s decision. In total, the DPC has imposed €2.9 billion ($3.1 billion) in fines and has collected €20 million, as most companies have appealed the decisions in court. Regardless of the level of recovery, the deputy director stressed the importance of the commission’s decisions, stating that they raise public awareness of the necessity for stringent regulatory measures in safeguarding the personal information of minors.
Doyle also highlighted the DPC’s decision to impose corrective measures, which have resulted in significant changes to the social media company’s problematic policies. “Instagram has altered their approach to processing children’s data. As a result of our investigation, these changes mean that children’s information is no longer visible even after they set up business accounts on Instagram,” said Doyle. “When we discuss changing behavior and making the internet safer, it’s these actions that truly make an impact.”
Related article: A story from Europe: The ultimate complexity of balancing between protecting and sharing information
Balance is not the first word that comes into one’s mind when thinking about cybersecurity. To most of us, we tend to focus on threat actors such as state-sponsored hackers and advanced persistent threat groups or the types of an attack such as ransomware and malicious code.
However, to an expert who has dedicated more than 25 years in the cyber domain, balance is the essence of cybersecurity. To make cyberspace safe, each country has to find the right balance between protecting data and releasing information.
◇ Hiding is not an answer
“You can share, or you can hide,” said Cormac Callanan, the cybersecurity coordinator for the Enhancing Security Cooperation In and With Asia, or ESIWA, to The Readable. “Hiding doesn’t help you.”
On December 15, The Readable met with the cybersecurity coordinator of ESIWA, who was visiting country to participate in the Hongneung Defense Forum’s special session for South Korea and the European Union. ESIWA is a project co-funded by the EU which aims to cooperate in four areas, including cybersecurity with six partner countries in Asia: South Korea, Japan, India, Vietnam, Singapore, and Indonesia.
The expert explained that in the past, countries tried to hide the fact that their governments suffered from cyberattacks, regarding it as a weakness. Nowadays, it is not only difficult to conceal the attacks since the actors publicly announce their activities online, but the decision to hide could itself hinder the preemptive measures that other countries could take to defend themselves from the same attacks. READ MORE
