TikTok to pay $379 million EU fine over child data privacy violations

TikTok had infringed on eight articles of the GDPR, including violations related to the lawfulness, fairness, and transparency of data processing

In a landmark decision by the Irish Data Protection Commission (DPC), TikTok, the popular video-sharing platform, has been ordered to pay €345 million fine, equivalent to approximately $379 million, for breaching the European Union’s General Data Protection Regulation (GDPR) in relation to the handling of children’s data. The ruling also requires TikTok to rectify its data processing practices to comply with GDPR standards within the next three months.

The DPC’s investigation revealed that TikTok had infringed on eight articles of the GDPR, including violations related to the lawfulness, fairness, and transparency of data processing, data minimization, data security, controller responsibility, data protection by design and default, and the rights of data subjects, including minors, to receive clear information about data processing and disclosures of their personal data.

The investigation did not uncover any breaches in TikTok’s age verification methods which had previously been a contentious issue with various regional regulators. Nevertheless, the DPC’s decision highlights a breach of Article 24(1) of the GDPR, as TikTok failed to implement adequate technical and organizational measures to address specific risks faced by users under the age of 13 who accessed the platform. Notably, the default account settings allowed anyone, both within and outside TikTok, to view content posted by these underage users.

TikTok’s settings at the time enabled child users to progress through the sign-up process in a way that automatically set their accounts to the public. This meant that videos, comments, and features like ‘Duet’ and ‘Stitch’ were publicly accessible by default. Additionally, TikTok allowed child accounts to be “paired” with unverified non-child users through the “Family Pairing” feature, without confirming whether the user was indeed the child’s parent or guardian.

Switch and Duet

This feature also allowed non-child users to enable direct messaging for child users aged 16 and above, resulting in a less stringent level of protection for the child user, according to the DPC’s findings.

This significant fine and ruling serve as a clear warning to social media platforms and tech companies regarding their obligations to protect the data privacy and security of children and all users in compliance with GDPR regulations.

TikTok reacts

In response to the development, a TikTok spokesperson told TechCrunch that the company is currently evaluating its next steps, which could potentially include filing a legal appeal in Ireland.

Elaine Fox, TikTok’s Head of Privacy in Europe, provided a more detailed response on the company’s website. She highlighted the proactive measures taken by TikTok to address safety concerns before the commencement of the DPC’s investigation, including the default setting of user accounts aged 13-15 to private.

Additionally, she emphasized that in 2021, TikTok became the first major platform, and remains the only one, to publicly disclose the number of suspected underage accounts it removes. According to her statement, during the first three months of 2023, TikTok removed nearly 17 million such accounts worldwide.

“We publish this in our quarterly Community Guideline Enforcement Reports and during the first three months of 2023, we removed nearly 17 million such accounts globally,” she wrote in a statement.

Elaine Fox acknowledged that ensuring age verification is an industry-wide challenge and expressed TikTok’s commitment to collaborating with regulators and experts to identify innovative solutions that further enhance their efforts to prevent underage users from accessing the platform.

According to the statement, the video-sharing platform boasts over 134 million monthly active users throughout the European Union.

Read More: ‘We can’t fight technology’- Kenyan parliament throws out petition to ban TikTok

TikTok and the Irish Data Protection Commission

The Irish Data Protection Commission (DPC) conducted an investigation into TikTok’s handling of children’s data during a five-month period, from July 31, 2020, to December 31, 2020. The commission examined TikTok’s compliance with GDPR obligations regarding the processing of personal data related to child users, particularly concerning default settings and the “Family Pairing” feature. Transparency obligations were also scrutinized in terms of how information was provided to child users regarding default settings.

The DPC’s initial findings indicated fewer GDPR breaches than the final decision confirmed. However, objections from two other authorities (Italy’s DPA and the Berlin authority) led to a binding decision by the European Data Protection Board (EDPB), which agreed to a breach of the GDPR’s fairness principle. The DPC’s final decision was adopted on September 1, 2023, giving TikTok until the start of December to rectify GDPR compliance or face further penalties.

The platform claims to have already addressed most of the issues leading to the sanctions, but it strongly objects to the fine amount.

Irish Data Protection Commission (DPC)

Notably, the UK’s Information Commissioner’s Office (ICO) imposed a fine on TikTok earlier for mishandling children’s data, amounting to approximately $15.7 million. A significant GDPR fine was also imposed on Meta-owned Instagram in the EU in the previous year for data protection violations involving children, totalling €405 million.

Child protection concerns continue to result in substantial penalties from European privacy regulators, though they still fall short of the largest GDPR sanction to date, a €1.2 billion penalty against Meta for illegal data transfers.

TikTok’s data exports are under investigation in the EU, with a draft decision expected to be submitted for review by other regional data protection authorities by the end of the year, leading to a final decision in 2024, contingent on potential disagreements with Ireland’s preliminary findings.

The European Data Protection Board (EDPB) has been increasingly involved in making binding decisions on GDPR investigations led by Ireland, resulting in larger penalties and broader breach findings.

Irish regulator faces scrutiny over TikTok data handling investigations

The Irish Data Protection Commission (DPC) initiated investigations into the video-sharing platform’s data transfers and its handling of children’s data two years ago, driven by concerns raised by other EU data protection authorities and consumer protection groups. Italy’s data protection authority had previously taken urgent measures against TikTok over child safety worries, leading to a significant user age verification process.

EU consumer protection authorities also voiced concerns about privacy and child safety. However, the Irish regulator’s response was perceived as slow, resulting in Commissioner Helen Dixon facing criticism in the European Parliament. The delay raised questions about the regulator’s ability to enforce GDPR regulations on major tech platforms.

Commissioner Dixon defended the DPC’s “busy GDPR enforcement” efforts, especially regarding TikTok, citing the extensive volume of materials being examined as a factor in the timing of the investigations.

Read More: Somalia bans TikTok, Telegram and 1XBet to promote moral conduct

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!

Register for Technext Coinference 2023, the Largest blockchain and DeFi Gathering in Africa.

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!