Europe’s primary data protection authority overseeing Facebook has initiated two additional investigations into the company’s operations, with both centering on the methods by which the Instagram platform handles information pertaining to young users.

This action by Ireland’s Data Protection Commission (DPC), as initially reported by the Telegraph, follows more than a year after a data scientist in the United States raised concerns regarding Instagram’s potential exposure of minors’ contact details. David Stier subsequently published the findings of his research, asserting that Instagram had not implemented necessary modifications to prevent access to young users’ data.

His investigation revealed that when children altered their Instagram account configurations to a business account type, their contact information—including email addresses and phone numbers—became publicly visible. Stier argued that this functionality resulted in the exposure of contact details for “millions” of children.

Facebook contests Stier’s interpretation of the situation, maintaining that it has consistently communicated that contact information is displayed when users opt to switch to a business account on Instagram.

The platform has also introduced a feature allowing users to prevent the display of their contact information when transitioning to a business account.

Despite this, the leading EU regulator has now indicated the identification of “potential concerns” regarding Instagram’s processing of data belonging to children.

According to the Telegraph’s coverage, the regulator launched these two inquiries last month in response to allegations that the platform potentially placed children at risk of exploitation or unauthorized access by disclosing their contact information.

The Irish DPC did not specifically confirm this but did acknowledge the commencement of two new statutory inquiries into Facebook’s handling of children’s data on the wholly-owned Instagram platform, as communicated to TechCrunch. The statement highlighted that the photo-sharing platform “is extensively used by children both in Ireland and throughout Europe”.

“The DPC has been proactively monitoring complaints received from individuals in this area and has identified potential concerns relating to the processing of children’s personal data on Instagram that necessitate further investigation,” the statement explained.

The regulator’s announcement details that the initial inquiry will assess the legal justification Facebook provides for processing children’s data on the Instagram platform, as well as the adequacy of existing security measures.

Europe’s General Data Protection Regulation (GDPR) incorporates specific provisions concerning the processing of children’s information, establishing a minimum age of 13 for consent to data processing. The regulation also mandates the implementation of inherent safeguards for children’s data.

“The DPC will aim to determine whether Facebook possesses a legal basis for the continued processing of children’s personal data and whether it employs sufficient protections and/or limitations on the Instagram platform for these children,” it stated regarding the first inquiry, further adding: “This Inquiry will also consider whether Facebook fulfills its obligations as a data controller regarding transparency requirements in its provision of Instagram to children.”

The DPC clarified that the second inquiry will concentrate on Instagram’s profile and account settings, evaluating “the suitability of these settings for children”.

“Among other considerations, this Inquiry will examine Facebook’s compliance with the requirements outlined in the GDPR concerning Data Protection by Design and Default, and specifically its responsibility to safeguard the data protection rights of children as vulnerable individuals,” it added.

In response to the regulator’s actions, a spokesperson for Facebook provided the following statement:

Violations of the GDPR can result in penalties of up to 4% of a data controller’s global annual revenue—potentially amounting to multi-billion euro fines for Facebook in the event of a violation.

However, Ireland’s regulator currently manages approximately 25 ongoing investigations related to multinational technology companies (known as cross-border GDPR cases)—a backlog that continues to draw criticism regarding the slow pace of decision-making. Consequently, the Instagram inquiries have been added to an extensive list of pending cases.

Earlier this summer, the DPC submitted its initial draft decision on a cross-border GDPR case—pertaining to a 2018 Twitter data breach—to the other EU DPAs for review.

This step resulted in further delays, as the other EU regulators did not unanimously support the DPC’s decision, triggering the dispute resolution mechanisms established within the GDPR.

Separately, an investigation by the U.K.’s Competition and Markets Authority into Instagram influencers revealed that the platform is not adequately protecting consumers from deceptive practices. The BBC reports that the platform will introduce new tools over the next year, including a prompt for influencers to disclose any incentives received for promoting a product or service before publishing a post, and new algorithms designed to identify potential advertising content.