On 1 September 2023, the Irish Data Protection Commission (DPC) adopted its final decision against TikTok for breaching EU data law in its handling of children’s user accounts.
TikTok will be required to bring its data processing into compliance with EU regulations within a stringent three-month timeline, as well as being subject to administrative fines totalling €345 million. This is the largest fine to date for the platform.
Background
The fine follows financial penalties against TikTok in the UK from the Information Commissioner’s Office (ICO), which we reported on in April of this year.
At this time, the ICO raised a fine of £12.7 million against TikTok for illegally processing children’s data. These users consisted of children under the age of 13, where TikTok did not have parental consent for this data processing.
DPC Action
In the current case, the DPC took action as the lead supervisory authority under GDPR for data protection matters concerning TikTok’s operations in the EU. The DPC’s decision was the outcome of its investigation into TikTok, which was launched in September 2021 and examined the processing of children’s data between 31 July and 31 December 2020.
During this investigation, the DPC found that TikTok had failed to provide sufficient transparency information, upheld inappropriate platform settings for young users, implemented ‘dark patterns’ to manipulate user choices and maintained ineffective age verification measures. For example, all user accounts were guided to public-by-default, with pop-ups making it more challenging to opt for privacy settings. Any user was able to interact by default with under-17s’ content through the ‘Duet’ and ‘Stitch’ features. Additionally, the ‘family pairing’ feature was not strict enough, allowing adults to enable direct messaging for young users.
Ultimately, the DPC determined that TikTok had committed multiple breaches of GDPR, recording infringement of Articles 5(1)(a), 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e).
TikTok has disagreed with the decision, stating that most of the issues had been addressed through changes it had introduced since the investigation. Elaine Fox, Tik Tok’s head of privacy for Europe, has commented:
“We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
Implications
TikTok’s significant fine and onerous compliance mandate highlights increasing action regarding the data protection practices of online platforms, particularly concerning young users under the age of 13.
This is the latest in a series of GDPR penalties; in April of 2023, Meta was issued a record €1.2bn fine by the DPC for the mishandling of user data. The trend is likely to continue, especially as regulation of online spaces becomes more stringent.
Platforms must be vigilant in upholding data protection standards to avoid significant ramifications and reputational damage. Any platform that upholds settings which impair the ability of users to protect their personal data effectively should expect extensive scrutiny.
If you have any questions or would otherwise like to discuss any issue raised in this article, please contact David Varney.
This article was written by Victoria McCarron.
“We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.” - Elaine Fox, Tik Tok’s head of privacy for Europe.