Correctly processing children’s data: TikTok fined €345 million due to GDPR infringements
TikTok has been fined €345 million following a two-year investigation into privacy violations involving children's data. The Irish Data Protection Commission (DPC), the leading regulator for TikTok in the EU, found that TikTok violated eight GDPR articles, encompassing data processing legality, data security, and data subject access rights.
The default profile settings for children's accounts exposed their content to the public, and a feature named Family Pairing, designed for parental connections, inadvertently allowed any adult to pair up with children, raising concerns about child safety.
TikTok was also criticised for not providing sufficient information to child users and employing manipulative tactics during registration and video posting to encourage less privacy. The company has been issued a reprimand and ordered to change its practices within three months.
Additionally, TikTok's use of "dark patterns" during registration nudged users, especially children, toward selecting public account settings, thus compromising their privacy. This issue was brought before the European Data Protection Board (EDPB), highlighting the need for fairness and transparency in presenting choices to users, particularly children.
TikTok disputes the level of the DPC fine, stating that many criticisms had already been addressed before the investigation began, such as setting 13 to 15-year-old accounts to private by default. The company plans to introduce a redesigned registration process for 16 and 17-year-old users, pre-selecting private accounts.
In response to the findings, TikTok has vowed to establish a global Youth Council, focusing on teenagers' experiences on the platform and strengthening data protection compliance.
The DPC's inquiry into TikTok's data processing of child users resulted in a €345 million fine. The inquiry assessed public-by-default settings, Family Pairing features, age verification, transparency obligations, and fairness principles under the GDPR. The decision mandates TikTok to implement measures ensuring data processing complies with GDPR principles. This decision highlights the rigorous requirement to process children’s personal data correctly.
TikTok has initiated legal actions, appealing the DPC's decision and challenging it in the High Court.
About the author: Sinéad Leahy is a Trainee Solicitor with Dermot G. O’Donovan Solicitors.