The DPC, the main data privacy regulator in the European Union, received complaints from individuals and had identified “potential concerns” in relation to the processing of children’s personal data on Instagram, Deputy Commissioner Graham Doyle told Reuters in an emailed statement.
Both inquiries were launched last month, Doyle said in the statement.
Facebook did not immediately respond when contacted by Reuters on Sunday.
The Telegraph, which first reported the inquiry, said Instagram made the email addresses and phone numbers of users under 18 public.
The Irish regulator launched its probe following a complaint by David Stier, a U.S. data scientist, the Telegraph added.
The first inquiry looks to establish if Facebook has the legal basis to process the data and whether it employs adequate protections and/or restrictions on Instagram.
“This inquiry will also consider whether Facebook meets its obligations as a data controller with regard to transparency requirements in its provision of Instagram to children,” Doyle said.
Instagram’s profile and account settings will be the focus of the second inquiry, examining whether the social media company is adhering to the regulator’s data protection requirements.
Ireland hosts the European headquarters of a number of U.S. technology firms, making the DPC the EU’s lead regulator under the bloc’s General Data Protection Regulation’s “One Stop Shop” regime introduced in 2018.
The new rules give regulators the power to impose fines for violations of up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher.