Irish privacy regulators have opened two investigations into Instagram over the social media site’s handling of young people’s personal data.
Ireland’s Data Protection Commission said it launched the investigations in September after receiving complaints about the company. Facebook, which owns Instagram and has its European headquarters in Ireland, said it’s in “close contact” with the commission and is “cooperating with their inquiries.”
The investigations were first reported late Sunday by Britain’s Daily Telegraph newspaper, which said they came after a U.S. data scientist aired concerns that Instagram made public the email addresses and phone numbers of people under 18. The minimum age to use Instagram is 13.
Data scientist David Stier said last year that his analysis found users, including those under 18, who switched their account types to business accounts also had their contact information displayed on their profile. Users were apparently switching to business accounts in order to see statistics on how many likes their posts were getting, after Instagram started removing the feature from personal accounts in some countries to help with mental health.
Facebook said it updated its business accounts since Stier’s findings and “people can now opt out of including their contact information entirely.”
One investigation will look into whether Facebook has adequate safeguards in place for children and whether it has a legal basis to process their data. The other focuses on whether Instagram’s profile and account settings are appropriate for children and follow strict European Union privacy regulations.
“The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children’s personal data on Instagram which require further examination,” Deputy Commissioner Graham Doyle said in a statement.
Companies can be fined up to 4% of a company’s annual revenue or 20 million euros ($24 million) — whichever is higher — for breaches of the EU’s General Data Protection Regulation.