The Irish Data Protection Commissioner (DPC) is one of the EU's leading regulatory authorities responsible for protecting the privacy of individuals on the Internet. They also have the power to impose heavy fines (2018).
DPC is investigating whether Facebook has a legal basis for processing personal information about children and whether it applies appropriate safeguards and restrictions to Instagram for children, as children in Ireland and across Europe use these platforms. The DPC is also investigating whether Facebook has met the GDPR requirements regarding Instagram's profile and account settings.
U.S. data scientist David Stier analyzed the profiles of 200,000 Instagram users around the world for over a year and reported that at least 60 million users under the age of 18 could easily convert their profiles to business accounts, where users must publicly display their phone numbers and email addresses. As a result, their personal information is visible to other Instagram users and is contained in the HTML source code of the web pages accessed when using Instagram on a computer, which means they could be "scratched" by hackers.
In response to these reports and complaints, a Facebook spokesperson said that they have made several updates to business accounts and that it was now possible to refrain from providing full contact information. However, Mr. Stier believes hackers may have managed to steal personal information from Instagram's website, as happened in 2019 when the contact details of 49 million users were stored online in an unguarded database owned by a company in India.