TikTok faces a hefty €345 million fine for violating the General Data Protection Regulation (GDPR), particularly in its handling of children’s accounts, where it failed to adequately protect underage users’ data from public visibility.
DPC’s Inquiry: Examining TikTok’s Practices
The Irish Data Protection Commission (DPC) wrapped up its investigation into TikTok Technology Limited in September 2023 and examined how TikTok processed children’s data between July 31 and December 31 2020.
This inquiry, which the DPC initiated on its own, aimed to check if TikTok followed the rules outlined in the GDPR while handling personal data of young users of the TikTok platform. Specifically, it looked into:
- Platform Settings: Various TikTok platform settings, including those that made user data public by default and settings linked to the ‘Family Pairing’ feature.
- Age Verification: The age verification process during registration.
- Communication with Child Users: How well TikTok communicated with child users regarding default settings and privacy.
Identified GDPR Violations
The investigation uncovered several GDPR violations committed by TikTok, including setting child users’ accounts to public mode by default, failing to provide clear information to young users, permitting adults using the “family pairing” feature to enable direct messaging for those over 16, and not adequately considering the risks faced by under-13s placed in a public setting on the platform.
DPC’s Preliminary Decision and CSA Objections
Following the investigation, the DPC sent a preliminary decision to all Supervisory Authorities Concerned (CSAs). In this draft decision, the DPC suggested that TikTok violated several GDPR articles, including principles related to the processing of personal data, the responsibility of the controller, transparency and data protection by design and by default.
While most CSAs agreed with these findings, the authorities in Italy and Berlin, acting on behalf of Berlin and Baden-Württemberg, raised objections.
Berlin’s objection centered on the need to add another violation related to the GDPR principle of fairness in dealing with ‘dark patterns.’ Meanwhile, the Italian authority contested the DPC’s conclusion that TikTok complied with Article 25 of the GDPR concerning age verification during the relevant period.
Since there was no consensus among the CSAs regarding these objections, the DPC decided to refer the matter to the European Data Protection Board (EDPB) for resolution under the Article 65 GDPR dispute resolution mechanism.
EDPB’s Binding Decision
On August 2, 2023, the European Data Protection Board issued a binding decision addressing the design practices implemented by TikTok in the context of two pop-up notifications shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up. The analysis found that both pop-ups failed to present options to the user in an objective and neutral way.
It directed the DPC to revise its draft decision to include an additional violation related to the GDPR’s fairness principle, as suggested by the Berlin authority. Considering the newly identified violation, the decision also expanded the requirements to bring TikTok’s data processing practices into compliance.
Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. ”
DPC’s Final Decision
The DPC’s final decision, dated September 1, 2023, confirms multiple GDPR violations, including those related to data processing, transparency, and fairness. To address these issues, the DPC issued the following measures:
- A reprimand to TikTok.
- An order instructing TikTok to rectify its data processing practices within three months from the date of notification of the DPC’s decision.
- Imposition of administrative fine totaling €345 million