• Hyp3r, a buzzy San Francisco startup, has been scraping millions of Instagram users’ data, tracking their locations and saving their Stories posts.
  • The Irish Data Protection Commission, a key EU data regulator, is now looking into whether EU data subjects were affected.
  • The locations Hyp3r targeted included places in the EU, so the answer to that is almost certainly yes.
  • Instagram issued Hyp3r with a cease and desist and kicked the company off its platform after Business Insider alerted it to Hyp3r’s behaviour.
  • Hyp3r denies wrongdoing and says it abides by privacy regulations and social networks’ terms of service.
  • Visit Business Insider’s homepage for more stories.

A top data protection regulator in the European Union is looking into the systematic collection of Instagram users’ personal data, including posts that were designed to disappear after 24 hours, by a San Francisco startup.

The Irish Data Protection Commission said on Wednesday that it is “working to establish” whether EU citizens have been affected by the data scraping, which was first revealed in a Business Insider investigation published Wednesday.

Marketing firm Hyp3r has been scraping millions of users’ public data from the Facebook-owned photo-sharing app – tracking people’s locations, saving their Stories posts (which are supposed to disappear after 24 hours), and gathering other information about them.

After Business Insider approached Instagram for comment, it issued Hyp3r with a cease and desist, and kicked the company off its platform.

Hyp3r had been operating in plain sight for a year, taking advantage of a weakness in Instagram's security, but Instagram failed to notice. Instagram even designated Hyp3r as an official "Marketing Partner." Sata scraping is widespread, and it is likely that many other outside firms were similarly taking advantage of Instagram's lax efforts to safeguard user data.

Hyp3r has denied wrongdoing, and CEO Carlos Garcia previously said in a statement: "HYP3R is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services. We do not view any content or information that cannot be accessed publicly by everyone online."

SEE ALSO: Instagram's lax privacy practices let a trusted partner track millions of users' physical locations, secretly save their stories, and flout its rules

Reached for comment, the Irish Data Protection Commission - which is responsible for regulating Facebook and its subsidiaries in the EU - said it is trying to understand whether Europeans have been affected, before it takes next steps.

"We are aware of media reports in relation to this issue," a spokesperson told Business Insider in a statement. "We are working to establish whether EU data subjects have been affected in the first instance and will then assess whether further information from Instagram is required."

Europeans seem certain to have been affected by the data scraping; sources say Hyp3r harvested data from "geofenced" locations around the world, and marketing material released by hotel chain Marriott, one of its customers, said it "surfaces all public social posts shared by on-property guests across our entire portfolio of hotels worldwide." Marriott has numerous hotels in the European Union.

A Hyp3r spokesperson said that the company was compliant with GDPR, the EU's privacy regulation, and that it has not yet been contacted by the Irish DPC. Hyp3r encrypts all personally identifiable information, the company said, and is confident that issues with Instagram will soon be resolved.

In an interview on Wednesday set up by Hyp3r's PR team, Ray Kruk, CEO of security and compliance firm Tugboat Logic, also said that his company has worked with Hyp3r to ensure compliance with GDPR and other international standards. Hyp3r has extremely high standards of security, he said, and takes "unbelievable measures to ... confirm with GDPR."

Kruk acknowledged that he did not have visibility into how Hyp3r's data was acquired.

A spokesperson for Instagram did not immediately respond to Business Insider's request for comment on Thursday.

Do you work at Instagram or Hyp3r? Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.

Read more: