Ireland’s data protection agency is investigating Instagram following concerns over how the image-sharing social platform handled children’s personal data, according to media reports.

The Data Protection Commission (DPC) received complaints that the US firm — owned by Facebook — had allowed the phone numbers and email addresses of under 18-year-olds to remain public, British newspaper the Daily Telegraph reported Sunday.

Following the complaints the DPC, the European Union’s main data privacy regulator, reportedly launched two separate inquiries last month.

Also read: Facebook to stop running political advertisements post-US polls

Neither Facebook nor the DPC immediately responded to AFP’s request for comment.

Data scientist David Stier found that when Instagram accounts switched from a personal to a business setting users’ email addresses and phone numbers became public, the Telegraph reported.

Business profiles allow users to see how many people are viewing their profiles and images.

Anyone can set up such an account, with the social platform currently not requiring proof the person is actually running a company.

Also read: Always mute, catalogue shortcut among upcoming WhatsApp features

Until recently Instagram also required all business users to publicly list a phone number or email address.

Instagram’s minimum age for an account is 13.

According to media reports, the DPC investigations will first examine whether the app has the necessary safeguards to securely process users’ data, particularly in regard to child users.

The DPC will also look at whether Instagram is following the Irish regulator’s data protection rules over its profile and account settings.