Ireland’s Data Protection Commission (DPC) on Friday announced a fine of €345 million, equivalent to approximately $368 million, on TikTok over alleged General Data Protection Regulation (GDPR) violations concerning children’s data protection.
TikTok Fined $368 Million For Mishandling Children’s Data
The investigation, which began in September 2021, looked into how TikTok handled the data of children aged between 13 and 17 for the period between July 31 and December 31, 2020, and whether it complied with its obligations under the GDPR in the context of:
- Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature; and
- Age verification is part of the registration process.
- Transparency information for children.
The investigation found that the sign-up process for teen users resulted in settings being set to default, which means anyone (on or off TikTok) could view the content posted by the child user. This posed several possible risks to children under the age of 13 who gained access to the platform even though they weren’t allowed.
Also, the “Family-Pairing” setting allowed a non-child user to pair their account to a child user’s account without their consent, which allowed enabling of Direct Messages for child users above the age of 16, thereby posing several possible risks to the child user.
Further, TikTok also failed to provide sufficient transparency information to child users. Additionally, the social media platform
The DPC found TikTok responsible for infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) of the European’s GDPR, and adopted its final decision regarding its inquiry into the social media platform on September 1, 2023.
With regards to this, the DPC has issued: a reprimand, an order for TikTok to bring their processing into compliance within three months, and an administrative fine of €345 million.
TikTok said it disagreed with the decision, particularly the level of the fine imposed by the DPC.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began – such as setting all under – 16 accounts to private by default,” TikTok said in a statement.
“Most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 — several months before the investigation began,” Elaine Fox, TikTok’s head of privacy for Europe, wrote in a blog post.
This is not the first time that TikTok has been imposed a fine for breaching the data-protection laws. Earlier this year, the UK’s Information Commissioner Office fined TikTok more than £12 million for allowing children below the age of 13 to use the platform in 2020.