TikTok fined €345m over GDPR breaches
Ireland’s Data Protection Commission has imposed fines totalling €345 million on TikTok over GDPR breaches relating to the processing of children’s personal data.
The DPC’s final decision, published today, follows a binding decision by the European Data Protection Board (EDPB) last month. However, unlike in a number of recent high-profile cases, the EDPB did not direct the Irish watchdog to increase the proposed fines of €220m to €380m which were set out in its draft decision.
The investigation concerned whether TikTok was complying with the GDPR in relation to default user settings and age verification for child users.
The DPC’s findings include that, in the period from 31 July to 31 December 2020:
- the profile settings for child user accounts were set to public by default, meaning anyone (on or off TikTok) could view the content posted by the child user, infringing Articles 25(1), 25(2), 5(1)(c) and 24(1) GPDR;
- the Family Pairing setting allowed a non-child user (who could not be verified as a parent or guardian) to pair their account to a child user’s account, allowing the non-child user to enable direct messages for child users above the age of 16, which posed severe risks to child users, infringing Articles 5(1)(f) and 25(1) GDPR;
- the fact that profile settings for child users were set to public by default also posed several possible risks to children under the age of 13 who gained access to the platform, infringing Article 24(1) GDPR;
- TikTok failed to provide sufficient transparency information to child users, infringing Articles 12(1) and 13(1)(e) GDPR; and
- TikTok implemented ‘dark patterns’ by nudging users towards choosing more privacy-intrusive options during the registration process and when posting videos, infringing Article 5(1)(a) GDPR.
The finding in relation to ‘dark patterns’ was included in the final decision on the direction of the GDPR following an objection from the data protection authority in Berlin.
The DPC did not find that TikTok’s age verification processes infringed the GDPR, and the EDPB rejected an objection from Italy’s data protection authority on this matter.
TikTok has been reprimanded, ordered to bring its processing into full compliance within three months and to pay administrative fines totalling €345 million.
The DPC’s final decision can still be challenged by TikTok in the High Court.