The Irish Data Protection Commission (DPC) announced on Friday a €345m million fine against social media giant TikTok for severe breaches of data protection regulations. The DPC’s investigation into TikTok’s practices was prompted by escalating concerns over the platform’s handling of personal data, particularly that of minors. The probe scrutinized the company’s compliance with the General Data Protection Regulation (GDPR), which mandates rigorous standards for data privacy and protection across the European Union.
The DPC’s investigation started in September 2021 and mainly examined how TikTok processed children’s data between 31 July and 31 Dec 2020. During the investigation, the DPC focused on how TikTok processed children’s data by looking at the platform settings for child users, including the Family-Pairing setting, age verification, and transparency information for children. They found that child accounts were automatically set to public, exposing minors to potential privacy and safety risks. Additionally, the Family-Pairing feature inadvertently allowed non-verified users to connect with child accounts, while default public profile settings posed risks to children under 13 who accessed the platform. TikTok also fell short in providing adequate transparency information to young users.
After the draft decision was issued, the Italian and Berlin data protection authorities raised reasoned objections, with additional feedback coming from other authorities. Faced with divergent views on the final decision’s contents, the matter was elevated to the European Data Protection Board (EDPB) for a decisive ruling. The EDPB mandated that the DPC, in its final decision, include a new finding of infringement addressing concerns about TikTok’s influence on users’ privacy choices and impose an augmented penalty.
Anu Talus, the EDPB Chair, emphasized that social media platforms must ensure that privacy choices are presented fairly, especially when catering to children. This entails providing options transparently and neutrally, without deceptive or manipulative elements. The decision reinforces the need for digital platforms to be vigilant in safeguarding children’s data protection rights.
In response, TikTok affirmed its commitment to data privacy and protection. The platform acknowledged the significance of user privacy and outlined steps taken to enhance safeguards, particularly for younger users. TikTok expressed its intention to collaborate closely with the DPC to rectify identified issues and ensure compliance with data protection regulations.