The EU is investigating Instagram for allegedly exposing the contact data of up to 5 million underage users

• The EU is investigating whether Instagram broke data-privacy laws after it allegedly exposed the personal data of millions of children, the Telegraph reports.
• It follows a complaint from a US data scientist, who last year said that Instagram allowed underage users to publicly display their phone numbers and email addresses by switching to "business" accounts.
• Ireland's Data Protection Commission, the official European data regulator for Instagram owner Facebook, is launching two investigations following the formal complaint.
• Under Europe's strict data privacy laws, Instagram's parent company Facebook could face maximum fines equal to 4% of its annual revenue.

The EU is leading two active investigations into whether Instagram illegally exposed the personal details of millions of underage users, the Telegraph reported Monday.

The investigations are being carried out by Ireland's Data Protection Commission (DPC), the official data regulator for Instagram's parent company Facebook in Europe. Facebook's European headquarters are in Dublin.

The DPC launched the investigations last month after it received a complaint from US data scientist David Stier. Stier told the Telegraph he believes as many as 5 million users under the age of 18 had their personal contact details exposed. "Instagram had enormous resources at their disposal, but this incident shows they had woefully low levels of empathy, safety awareness and care for their users," Stier said.

DPC Deputy Commissioner Graham Doyle told the Telegraph that the commission "has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination."

In a statement sent to Business Insider, the DPC described the twin investigations into Facebook. The first will examining the legal framework Facebook uses to process children's data on Instagram.

---

"The DPC will set out to establish whether Facebook has a legal basis for the ongoing processing of children's personal data and if it employs adequate protections and or restrictions on the Instagram platform for such children," the Commission said in its statement.

The second investigation will specifically delve into Instagram's "profile and account settings," and whether they're appropriately set up to deal with child users. The Telegraph reports that under EU data protection regulations, each investigation could result in a maximum fine of 4% of Facebook's annual revenue. Facebook's annual turnover for 2019 was $70.7 billion, meaning a maximum 4% fine would equal $2.8 billion.

Instagram loophole discovered in 2019

Stier wrote in a Medium post in 2019 that he had found an Instagram loophole that allowed the personal data of underage users to be publicly exposed.

The loophole is linked to how Instagram allows users to switch between a regular account and a "business" account. To change over to having a business account, Instagram users must add either a phone number or an email address, which was then publicly accessible.

"Because there are seemingly no restrictions on who can change their personal profile to a business account, many kids have figured out that they can 'claim' to have a business so that they can add the contact buttons onto their own profile page," Stier wrote in 2019.

Instagram has since changed this process so business account holders have to opt-in to having their contact details publicly displayed.

"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information," an Instagram spokesperson told Business Insider.

"We're in close contact with the IDPC and we're cooperating with their inquiries," they added. "I'm relieved that the IDPC has confirmed the seriousness of the issues that I and others have brought to their attention," Stier told Business Insider.

"However, Instagram continues to place children in harm's way and they have only made minor adjustments that affect new users and I have evidence that they've done nothing to anonymize the personal contact data for millions of kids who set up fake business accounts," he added.