In a significant development concerning data privacy and protection, Ireland’s Data Protection Commission’s (“DPC”) final decision imposes a fine of €345 million on the popular social media platform, TikTok, for violating children’s privacy in 2020. The scale of the fine is an indication of how seriously the DPC addresses the misuse of children’s personal data and the DPC not shying away from investigating past actions despite any updates that a platform may have made in the meantime.
Timeline of the investigation
The investigation began in September 2021 as an ‘own volition’ enquiry by DPC to examine TikTok’s processing of children’s personal data between 21 July 2020 and 31 December 2020 and its compliance with EU General Data Protection Regulation (“GDPR”). As the lead supervisory authority, the DPC submitted a preliminary decision with a range of fines in September last year to all supervisory authorities concerned with this investigation for their views (pursuant to the process under Article 60(3) GDPR).[1] Consensus of infringements to take into account under the investigation was reached by the European Data Protection Board (“EDPB”) on 2 August 2023 (pursuant to Article 65 GDPR dispute resolution).
TikTok’s GDPR Infringements
The DPC found that the following actions in 2020 brought TikTok in violation of GDPR:
- Features on the TikTok platform
TikTok had a public-by-default setting, which meant that profiles of children aged 13-17 years of age were public and their content able to be viewed by anyone on or off TikTok. This was found to be a failure by TikTok to implement appropriate technical, organisational and security measures (Article 5(1)(c), 5(1)(f), 25(1), and 25(2) GDPR). Tiktok failed to address the possible risks to the rights and freedoms of child users, which is also a breach of Article 24(1) GDPR.
Tiktok’s ‘Family Pairing’ feature on the platform, which allows adult accounts to link with child accounts was also found in breach. TikTok did not verify parent or guardian status of these linked adult accounts meaning child accounts could be linked to adults unrelated to them. This is in violation of Article 5(1)(c) and 25(1) GDPR.
- Lack of compliance with transparency obligations
When asked to provide information on the categories of recipients of personal data, TikTok failed to do so. It also did not provide child users with information on the scope and consequences of the public-by-default setting. These actions were found to be in violation of 12(1) and Article 13(1)(e) GDPR.
- The use of ‘dark patterns’ during the sign-up process
The DPC also found that TikTok incorporated ‘dark patterns’ pushing users towards choosing more privacy-intrusive options during the registration process and when posting videos, in violation of Article 5(1)(a) GDPR.
Considering the number of violations found, the DPC imposed on TikTok a reprimand, an administrative fine of €345 million and an order for TikTok to bring its processing in compliance within 3 months.
Conclusion
With Meta’s fine from DPC for its handling of children’s data in 2022 [2] and now TikTok’s, this is a clear message for all businesses that process children’s personal data to ensure they have robust procedures and policies in place when doing so. The UK Information Commissioner Office also imposed a fine on TikTok earlier this year for mishandling children’s data.[3]
The GDPR text expressly refers to the special protection that children’s personal data merits (see preamble (38) GDPR) and these fines reflect the extent to which data protection authorities enforce this. These decisions will have other BigTech’s platforms’ attention in the way that they handle such personal data in the way that their platforms operate.
If you have any questions on the above or on how Preiskel & Co can help with bringing your company’s policies up to date in compliance with data protection laws, please contact Jose Saras and Sophia Yakhno.
Please see DPC’s press release here and final decision here.
The material contained in this article is only for general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.
[1] See DPC’s press release dated 13 September 2023 here.
[2] See the DPC decision against Meta (28 July 2022) here whereby it fined Meta €405 million (£1bn) for infringement of personal data processing relating to child users of the social networking service, Instagram.
[3] See UK ICO decision against TikTok dated 4 April 2023 here.