22 Sep 2023
The Irish Data Protection Commission (DPC) has levied a staggering €345 million fine (approximately $379 million) against TikTok, the widely popular video-sharing platform. This hefty penalty comes as a consequence of TikTok's breach of the European Union's General Data Protection Regulation (GDPR), specifically in how it handles children's data. Moreover, the DPC has mandated that TikTok revamp its data handling practices to align with GDPR standards within the next three months.
The DPC's extensive investigation unearthed eight GDPR violations committed by TikTok. These infractions encompassed various aspects of data processing, including the lawfulness, fairness, and transparency of data handling, data minimization, data security, controller responsibilities, data protection design, and default settings, as well as the rights of data subjects, notably minors, to receive clear information regarding data processing and the disclosure of their personal information.
An interesting revelation from the investigation was that TikTok's age verification methods were found to comply, a matter that had sparked controversies with regulators in different regions. However, the DPC's ruling highlighted a breach of Article 24(1) of the GDPR. TikTok had failed to implement adequate technical and organizational measures to safeguard users under the age of 13 who access the platform. Notably, the default account settings permitted anyone, both within and outside TikTok, to view content posted by these underage users.
TikTok is now considering its options, including the possibility of appealing the decision in the Irish courts.
Elaine Fox, TikTok's Head of Privacy in Europe, responded in greater detail on the company's website. She underscored the proactive measures TikTok had taken to address safety concerns even before the DPC initiated its investigation. For instance, TikTok had set the default setting of user accounts aged 13 to 15 to private. She also emphasized that TikTok had become the first major platform and remains the only one to publicly disclose the number of suspected underage accounts it removes. According to Fox, in the first three months of 2023 alone, TikTok had removed nearly 17 million such accounts worldwide.
This substantial fine and the associated ruling serve as a stern warning to social media platforms and tech companies regarding their obligations to safeguard the data privacy and security of children and all users in line with GDPR regulations.
This incident is not isolated, as TikTok has faced previous fines. The UK's Information Commissioner's Office (ICO) had fined TikTok around $15.7 million for mishandling children's data. In addition, Meta-owned Instagram had received a significant GDPR fine in the EU in the preceding year for data protection violations involving children, totaling €405 million.
Child protection concerns have consistently resulted in substantial penalties from European privacy regulators, though they still fall short of the largest GDPR sanction to date, a €1.2 billion penalty against Meta for illegal data transfers.
Currently, TikTok's data exports are under investigation in the EU, with a draft decision expected for review by other regional data protection authorities by year's end, leading to a final decision in 2024, subject to potential disagreements with Ireland's preliminary findings.
The Irish Data Protection Commission (DPC) initiated the investigations into the video-sharing platform's data transfers and its handling of children's data two years ago, driven by concerns raised by other EU data protection authorities and consumer protection groups. Italy's data protection authority had previously taken urgent measures against TikTok over child safety concerns, resulting in significant user age verification processes.
While EU consumer protection authorities had expressed concerns about privacy and child safety, the Irish regulator's response was perceived as sluggish, leading to criticism of Commissioner Helen Dixon in the European Parliament. This delay has raised questions about the regulator's ability to enforce GDPR regulations on major tech platforms.
Commissioner Dixon defended the DPC's "busy GDPR enforcement" efforts, particularly in the case of TikTok, citing the extensive volume of materials being examined as a factor in the timing of the investigations.
The substantial GDPR fine imposed on TikTok serves as a stark reminder of the importance of robust data protection measures, especially when it comes to safeguarding the privacy of children. This pivotal ruling delivers a clear message to tech giants and social media platforms, emphasizing the need for strict compliance with GDPR regulations.