TikTok, the widely used video-sharing platform, has been directed to pay a substantial €345 million fine, which roughly translates to $379 million, by the Irish Data Protection Commission (DPC).
This penalty has been imposed for violating the European Union’s General Data Protection Regulation (GDPR) in relation to the management of children’s data. In addition to the fine, TikTok is required to rectify its data processing procedures to align with GDPR standards within the next three months.
The DPC’s investigation uncovered that TikTok had breached eight articles of the GDPR, including infringements related to the legality, fairness, and transparency of data processing, data minimization, data security, the responsibilities of data controllers, data protection through design and default settings, and the rights of data subjects, particularly minors, to receive clear information about how their personal data is processed and disclosed.
Although the investigation did not find any issues with TikTok’s age verification methods, which had been a contentious point with various regional regulators previously, the DPC’s ruling emphasizes a violation of Article 24(1) of the GDPR.
This is because TikTok failed to implement adequate technical and organizational measures to address specific risks faced by users under the age of 13 who used the platform. Importantly, default account settings allowed anyone, both inside and outside of TikTok, to access content posted by these underage users.
At the time, TikTok’s settings allowed child users to go through the sign-up process, automatically configuring their accounts to be public. Consequently, videos, comments, and features like ‘Duet’ and ‘Stitch’ were publicly accessible by default.
Furthermore, TikTok permitted child accounts to be linked with unverified non-child users through the “Family Pairing” feature, without verifying whether the user was indeed the child’s parent or guardian. This feature also allowed non-child users to enable direct messaging for child users aged 16 and above, leading to a lower level of protection for the child user, according to the DPC’s findings.
This substantial fine and ruling serve as a clear message to social media platforms and technology companies regarding their obligations to safeguard the data privacy and security of children and all users in accordance with GDPR regulations.
In response to this development, a spokesperson for TikTok informed TechCrunch that the company is currently evaluating its next steps, which may include filing a legal appeal in Ireland.
Elaine Fox, TikTok’s Head of Privacy in Europe, provided a more detailed response on the company’s website. She highlighted the proactive measures TikTok took to address safety concerns even before the DPC’s investigation began, such as setting user accounts aged 13-15 to private by default.
Additionally, Fox emphasized that in 2021, TikTok became the first major platform, and remains the only one, to publicly disclose the number of suspected underage accounts it removes. According to her statement, during the first three months of 2023, TikTok removed nearly 17 million such accounts worldwide.
“We publish this in our quarterly Community Guideline Enforcement Reports, and during the first three months of 2023, we removed nearly 17 million such accounts globally,” she wrote in a statement.
Elaine Fox acknowledged that ensuring age verification is a challenge faced by the entire industry and expressed TikTok’s commitment to collaborating with regulators and experts to identify innovative solutions that further enhance their efforts to prevent underage users from accessing the platform.
According to the statement, the video-sharing platform boasts over 134 million monthly active users throughout the European Union.
TikTok and the Irish Data Protection Commission
The Irish Data Protection Commission (DPC) conducted an investigation into TikTok’s handling of children’s data during a five-month period, from July 31, 2020, to December 31, 2020.
The commission examined TikTok’s compliance with GDPR obligations regarding the processing of personal data related to child users, particularly concerning default settings and the “Family Pairing” feature.
Transparency obligations were also scrutinized in terms of how information was provided to child users regarding default settings.
The DPC’s initial findings indicated fewer GDPR breaches than the final decision confirmed. However, objections from two other authorities (Italy’s DPA and the Berlin authority) led to a binding decision by the European Data Protection Board (EDPB), which agreed to a breach of the GDPR’s fairness principle.
The DPC’s final decision was adopted on September 1, 2023, giving TikTok until the start of December to rectify GDPR compliance or face further penalties.
The platform claims to have already addressed most of the issues leading to the sanctions but strongly objects to the fine amount.
Irish Data Protection Commission (DPC)
Notably, the UK’s Information Commissioner’s Office (ICO) imposed a fine on TikTok earlier for mishandling children’s data, amounting to approximately $15.7 million. A significant GDPR fine was also imposed on Meta-owned Instagram in the EU in the previous year for data protection violations involving children, totaling €405 million.
Child protection concerns continue to result in substantial penalties from European privacy regulators, though they still fall short of the largest GDPR sanction to date, a €1.2 billion penalty against Meta for illegal data transfers.
TikTok’s data exports are under investigation in the EU, with a draft decision expected to be submitted for review by other regional data protection authorities by the end of the year, leading to a final decision in 2024, contingent on potential disagreements with Ireland’s preliminary findings.
The European Data Protection Board (EDPB) has been increasingly involved in making binding decisions on GDPR investigations led by Ireland, resulting in larger penalties and broader breach findings.
Irish Regulator Faces Scrutiny Over TikTok Data Handling Investigations
The Irish Data Protection Commission (DPC) initiated investigations into the video-sharing platform’s data transfers and its handling of children’s data two years ago, driven by concerns raised by other EU data protection authorities and consumer protection groups.
Italy’s data protection authority had previously taken urgent measures against TikTok over child safety concerns, leading to a significant user age verification process.
EU consumer protection authorities also voiced concerns about privacy and child safety. However, the Irish regulator’s response was perceived as slow, resulting in Commissioner Helen Dixon facing criticism in the European Parliament. The delay raised questions about the regulator’s ability to enforce GDPR regulations on major tech platforms.
Commissioner Dixon defended the DPC’s “busy GDPR enforcement” efforts, especially regarding TikTok, citing the extensive volume of materials being examined as a factor in the timing of the investigations.
Follow techkudi.com for more juicy content