LONDON (AP) — Irish regulators are slapping Instagram with a big fine after an investigation found the social media platform mishandled teenagers’ personal data.

Ireland’s Data Protection Commission said by email Monday that it made a final decision last week to fine the company 405 million euros ($402 million), though the full details won’t be released until next week.

The penalty is the second-biggest issued under the European Union’s stringent privacy rules after Luxembourg’s regulators fined Amazon 746 million euros last year.

Instagram parent Meta, which also owns Facebook and can appeal the decision, didn’t respond to a request for comment.

The Irish watchdog’s investigation centered on how Instagram exposed the personal details of users ages 13 to 17, including email addresses and phone numbers. The minimum age for Instagram users is 13.

Under the EU’s data privacy rules, the Irish watchdog is the lead regulator for many U.S. tech companies with European headquarters in Dublin.

The watchdog has a raft of other inquiries into Meta-owned companies. Last year, it fined WhatsApp 225 million euros for breaching rules on transparency about sharing people’s data with other Meta companies.