The Irish Data Protection Commission (DPC) announced a penalty of 345 million euros (U.S. $368 million) against popular social media company TikTok over alleged violations of the European Union’s General Data Protection Regulation (GDPR) during a five-month period in 2020.
The fine against TikTok Technology Limited addresses alleged violations of Articles 5, 12, 13, 24, and 25 of the GDPR, specifically in relation to public-by-default and age-verification settings on its platform, the Irish DPC said in a press release Friday.
In total, TikTok was fined €165 million (U.S. $176 million) for the alleged violations of Articles 5 and 25 and €180 million (U.S. $192 million) regarding Articles 12 and 13, according to a final decision published by the European Data Protection Board (EDPB), which intervened in the cross-border case.
The details: Between July 2020 and December 2020, TikTok’s profile settings for child user accounts—ages 13 to 17 years old—were set to public by default, the Irish DPC alleged. Because of this setting, child users under the age of 13 who gained access to the platform were also put at serious risk, the regulator noted.
During the same period, the platform’s “Family Pairing” setting allowed nonchild users who could not be verified as the parent or guardian to pair their account to a child user account. This allowed nonchild users to enable direct messaging for users above the age of 16.
In September 2022, the Irish DPC submitted its draft decision in the case to all data protection authorities in the European Union, with the DPAs in Germany and Italy objecting.
Germany sought inclusion of violations of Article 5 of the GDPR, due to TikTok’s alleged “dark patterns” in the registration process, while Italy sought inclusion of infringement of Article 25 in relation to TikTok’s age verification process.
The case was referred to the EDPB, as required under the dispute resolution mechanism of the GDPR.
The EDPB adopted its binding decision in August, amending the Irish DPC’s draft decision to include TikTok’s alleged failure to verify the ages of child users and its use of dark patterns to nudge users into selecting more privacy-intrusive options during the registration and video-posting process.
Compliance considerations: TikTok received a reprimand and must bring its data processing into compliance within three months.
Company response: “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default,” a TikTok spokesperson said in an emailed statement.
In a blog post, Elaine Fox, TikTok’s head of privacy in Europe, said, “We’ll also continue to focus on further strengthening a culture of compliance across our business. … [W]e will not hesitate to make significant changes to product features and processes to ensure TikTok meets the high standard of European safety and privacy regulation.”