On Friday, 15 September, the Irish Data Protection Commission (DPC) fined TikTok €345 million for breaching EU General Data Protection Regulation (GDPR) rules concerning children and teenagers during the period 31 July 2020 to 31 December 2020. This is the first time that the EU has issued a fine to the Chinese-owned social media platform.
Following the conclusion of its investigation that began in September 2021, the DPC found TikTok to have infringed Articles 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) of the GDPR by setting the profiles of children aged 13-17 to default to a public setting. This meant that anyone on or off TikTok could view their content and contact them.
In its Article 65 binding dispute resolution decision in August, the European Data Protection Board (EDPB) added Article Article 5(1)(a) to the list of GDPR violations. The EDPB focused on the company's design practices related to the Registration Pop-Up and the Video Posting Pop-Up that were shown to children aged 13-17, which failed to present options to the user in an objective and neutral way. According to EDPB Chair Anu Talus, social media platforms have a responsibility to avoid presenting choices to users, especially children, in an unfair manner.
In a statement responding to the decision, TikTok Head of Privacy, Europe, Elaine Fox, said: "We respectfully disagree with several aspects of the decision, particularly the level of the fine... The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default."
Additional analysis from the IAPP considers the objections raised by the Berlin Commissioner for Data Protection and Freedom of Information along with Italy's data protection authority, the Garante.
The DPC €345 million fine follows a similar conclusion reached by the Information Commissioner's Office (ICO), which issued TikTok with a £12.7 million monetary penalty in May.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,250 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.