TikTok has been issued with a fine of €345 million by Ireland’s data protection authority over historical shortcomings identified in relation to children’s privacy.
The Data Protection Commission (DPC) said that during the period between 31 July 2020 and 31 December 2020, TikTok had breached rules set out in the EU General Data Protection Regulation (GDPR), including principles that govern the processing of personal data and requirements around the disclosure of information to data subjects about that processing.
As well as imposing a fine, the DPC has ordered TikTok to take specific action to bring its processing into compliance by 1 December 2023, however TikTok said it “respectfully disagrees” with the decision and that it had made changes to address the issues identified by the DPC before the authority had opened its investigation in September 2021.
The DPC’s investigation looked at how TikTok’s settings were configured for child users, the company’s age verification procedures, and the information it provided for children.
The DPC considered the company had not complied with rules requiring data protection to be embedded in the design of its platform, and by default, because child user accounts were automatically public, meaning their posts could be viewed by users and non-users. TikTok said all under-16 accounts are now set as private by default. It also took issue with TikTok’s family pairing’ feature after raising concerns about how it could enable adults to message children directly.
The DPC opened its investigation into TikTok after data protection authorities in the Netherlands and France had requested its assistance in regulatory initiatives they had undertaken. Under the GDPR, the DPC is the ‘lead supervisory authority’ for data protection matters concerning TikTok’s operations in the EU, as the company has its main EU headquarters in Dublin.
The DPC issued a draft decision in the case last year, which was circulated to other data protection authorities (DPAs) across the EU. The Italian and Berlin DPAs raised reasoned objections, while other authorities also provided feedback on the decision. When the DPC could not obtain a consensus on what the final contents of the decision should be, the matter was referred to the European Data Protection Board (EDPB) for a binding decision. The outcome was that the DPC was required, in its final decision (126-page / 24.1MB PDF), to adopt a further finding of infringement, that reflected concerns raised about how TikTok influenced users’ privacy choices, and increase the penalty it had proposed to impose.
In a statement reported by several media outlets, TikTok said: “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”