15-9-2023 (DUBLIN) The Irish Data Protection Commission (DPC) has issued a decision stating that the popular social media app TikTok, owned by a Chinese company, has violated children’s privacy in Europe. The DPC found that TikTok failed to adequately protect children’s personal information by making their accounts publicly accessible by default. Additionally, the platform did not effectively address the risks associated with users under the age of 13 accessing its services. As a result, TikTok has been fined €345 million for breaching the European Union’s General Data Protection Regulation (GDPR), a significant privacy law.
The imposition of such a headline penalty reflects the DPC’s discovery that child users were exposed to significant risks due to TikTok’s decision to set child user accounts to public settings upon registration. Helen Dixon, the Irish data protection commissioner, emphasized the extent of the violation in a written statement, stating, “Alone the fine of €345 million is a headline sanction to impose but reflects the extent to which the DPC identified child users were exposed to risk in particular arising from TikTok’s decision at the time to default child user accounts to public settings on registration.”
The DPC’s investigation revealed that between July and December 2020, TikTok unlawfully made accounts of users aged 13 to 17 public by default, allowing anyone to view and comment on their posted videos. Furthermore, TikTok failed to adequately assess the risk of users under the age of 13 accessing its platform. The regulator also discovered that TikTok was using manipulative pop-ups to coax teenagers into making their accounts and videos public. The DPC has ordered TikTok to modify these deceptive designs, known as dark patterns, within the next three months.
During the latter half of 2020, minors’ accounts were occasionally paired with unverified adult accounts. The DPC revealed that the video platform had previously neglected to explain to teenagers the consequences of making their content and accounts public.
Morgan Evans, a spokesperson for TikTok, expressed disagreement with the DPC’s decision, particularly regarding the magnitude of the fine imposed. Evans argued that the DPC’s criticisms focused on features and settings that were in place three years ago and were already modified prior to the commencement of the investigation. TikTok had already set all accounts of users under 16 to private by default.
TikTok has committed to complying with the order to modify misleading designs by extending default privacy settings to accounts of new users aged 16 and 17 later this month. Additionally, the company will introduce changes to the pop-up notifications received by young users when they first post a video within the next three months.
This fine represents the largest privacy penalty ever imposed on TikTok, which currently boasts 134 million monthly active users in Europe. It is also the fifth-largest fine imposed on any technology company under the GDPR. The platform, popular among teenagers, has previously faced criticism for insufficiently addressing the risks it poses to its young users, including dangerous viral challenges and its addictive algorithm. Moreover, TikTok, along with 18 other online platforms, must now limit risks such as cyberbullying to avoid substantial fines under the Digital Services Act (DSA).
This costly fine further compounds TikTok’s challenges in Europe, following a series of restrictions imposed earlier this year due to concerns about its ties to China.
Although TikTok’s parent company, ByteDance, is based in Beijing, the social media app has struggled to allay concerns about its data security. The company recently announced that it had begun transferring its European data to a center located within the European Union. Nevertheless, it remains under investigation by the Irish Data Protection Commission for potentially unlawful data transfers to China involving European users. As TikTok established its legal EU headquarters in Dublin in late 2020, the Irish privacy watchdog has been the designated supervisor for the entire bloc under the GDPR.
During the summer, other national regulators, via the European Data Protection Board (EDPB), participated in the investigation. Two German privacy agencies and Italy’s regulator disagreed with Ireland’s initial findings, prompting the EDPB to intervene. The board instructed Ireland to penalize TikTok for encouraging users to create public accounts through misleading pop-ups.
The European regulators’ board also expressed “serious doubts” about the effectiveness of TikTok’s measures to prevent users under the age of 13 from accessing its platform during the second half of 2020. The EDPB stated that these mechanisms could be easily circumvented and that TikTok failed to systematically verify users’ ages for existing accounts. However, due to a lack of available information during the cooperation process, the group was unable to identify a specific infringement.
In April, the United Kingdom’s data protection regulator fined TikTok £12.7 million (€14.8 million) for allowing children under 13 to use its platform and utilizing their data. Additionally, the Dutch privacy authority imposed a €750,000 fine on the company in 2021 for failing to safeguard Dutch childrenTikTok Faces €345 Million Fine in Europe Over Children’s Privacy Violations
