Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ireland: DPC fines TikTok €345M for unlawful processing of children's data

On September 15, 2023, the Irish Data Protection Commissioner (DPC) announced its decision, dated September 1, 2023, in which it fined TikTok Technology Limited €345 million for a breach of the General Data Protection Regulation (GDPR) relating to the processing of children's personal data.

Background to the decision

The DPC's inquiry into TikTok commenced on September 14, 2021, following requests from both the Dutch data protection authority (AP) and the French data protection authority (CNIL) in 2021 to provide mutual assistance in relation to inquiries initiated by the respective supervisory authorities. Specifically, the DPC clarified that the inquiry into TikTok relates to the processing of personal data during the period between July 31, 2020, and December 31, 2020.

The DPC submitted a draft decision to all supervisory authorities concerned for the purposes of Article 60(3) of the GDPR on September 13, 2022, proposing infringements of Articles 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1), and 25(2) of the GDPR, though objections to the draft decisions were raised by both the Italian data protection authority (Garante) and the Berlin data protection authority, acting on behalf of the Baden-Württemberg data protection authority (LfDI Baden-Württemberg).

Findings of the DPC

In particular, the DPC found that the profile settings for child users of TikTok were set to public by default, allowing anyone to view the content posted by child users. Accordingly, the DPC determined that TikTok failed to implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for TikTok's processing was processed. Therefore, contrary to the principle of data protection by default and by design, TikTok violated Article 5(1)(c), 25(1), and 25(2) of the GDPR.

In addition, the DPC found that the implementation of a default account setting for child users, which allowed any to view social media content posted by children, failed to take into account the possible risks to the rights and freedoms of child users. Thus, TikTok was found to have not implemented appropriate technical and organizational measures, in violation of Article 24(1) of the GDPR. Similarly, the setting of child users' profiles to public, was considered to pose a risk to children under the age of 13. Consequently, TikTok was also found in violation of Article 24(1) of the GDPR.

Notably, the DPC also found that TikTok implemented a platform setting called 'Family Pairing' for child users whereby a non-child user could pair their account to a child user, enabling direct messaging between non-child users and child users above the age of 16. Such processing was considered by the DPC to not ensure appropriate security of personal data, and TikTok's failure to implement the integrity and confidentiality principle was deemed in violation of Article 5(1)(f) and 25(1) of the GDPR.

The DPC also found that TikTok failed to provide child users with information on the categories of recipients or categories of recipients of personal data, in violation of Article 13(1)(e) of the GDPR. When TikTok did not provide child users with information on the scope and consequences of the public-by-default processing in a concise, transparent, and intelligible manner, the DPC considered TikTok to have also violated Article 12(1) of the GDPR.

Finally, the DPC established that TikTok implemented 'dark patterns' by nudging users towards more privacy-intrusive options during the registration process and when posting videos. Therefore, TikTok was found to have violated Article 5(1)(a) of the GDPR.

Outcomes

Consequently, the DPC issued a reprimand on TikTok for the infringements of the GDPR, recognizing the seriousness of the infringements.

Further, the DPC issued a corrective order, pursuant to Article 58(2)(d) of the GDPR, requiring TikTok to bring its processing into compliance with the GDPR within three months of notification of the decision.

Finally, the DPC imposed an administrative fine of €345 million.

You can read the press release here, the decision here, and the European Data Protection Board binding decision here.

Feedback