TikTok Hit with €345 Million GDPR Fine as Privacy Protection Becomes a Key Issue

TikTok has officially come of age: it has joined an exclusive club of companies that have been hit with major fines for infringing on the EU’s main privacy law, the GDPR. The Irish Data Protection Commission (DPC) has imposed a €345 million fine (about $370 million) on the company for failing to protect children’s personal data in multiple ways.

The DPC began its investigations two years ago, when it explored two aspects of TikTok’s operations in the EU: how it processed children’s data, and how it transfers personal data to China. The DPC’s decision on the second of these has not yet been released, but is expected sometime next year.

Arrive at a ruling on how TikTok handles children’s personal data wasn’t straightforward. As the DPC explains, it submitted its draft decision to other EU data protection agencies a year ago. Two agencies – those based in Italy and Berlin – raised objections to the proposed decision. As with the €1.2 billion fine imposed on Meta earlier this year, this disagreement between EU agencies required the European Data Protection Board (EDPB) to adjudicate, which it has now done. The investigation concerned three aspects of TikTok’s handling of children’s private data:

• Platform settings for children
• Age verification
• Transparency of information

The DPC found that the profile settings for children’s accounts were set to public by default, which meant that anyone on or off TikTok could view content posted by a child. The so-called Family Pairing setting allowed adults (who were not necessarily the child’s parent or guardian) to pair their account with a child’s account. This enabled adult users to send direct messages to children above the age of 16, posing “severe risks to child users” according to the DPC. Additionally, the fact that the profile settings for child users were set to public by default created further risks for children aged 13 or younger who gained access to TikTok.

As far as age verification was concerned, the final view was that TikTok had complied with the GDPR in its efforts to ensure that its platform was only available to those above the age of 13. The DPC also ruled that TikTok had implemented “dark patterns” that nudged users towards choosing more privacy-intrusive options during the registration process and when posting videos. While these UI issues have been around for a while, this is the first time a major ruling on the topic has been issued. The DPC also found that TikTok failed to provide sufficient transparency information to its child users.

As a result of the DPC investigation, and the EDPB’s comments, the decision against TikTok involves three elements:

• A reprimand
• An order requiring TikTok to bring its processing of children’s personal data into compliance with the GDPR within a period of three months from the date on which the DPC’s decision was notified to the company
• Administrative fines totalling €345 million

In response to the DPC decision, TikTok’s Head of Privacy in Europe wrote: “We respectfully disagree with several aspects of the decision, particularly the level of the fine.” The company’s main argument is the following:

The DPC’s investigation focused on the period between July and December 2020 only. The DPC did not find that TikTok’s age assurance measures violated the GDPR, and most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 – several months before the investigation began.

That’s a rather weak excuse. It’s like somebody saying it’s true they were driving above the speed limit, but that later they slowed down, so they should be let off. The point is that for a certain period of time, TikTok did not comply with the relevant law (the GDPR).

It’s true that in the last year or so, TikTok realized that it needed to strengthen its privacy protection, not least because bans on using its services have been brought in around the world. In January 2023, TikTok’s Global Head of Privacy & Regulatory Affairs wrote a post entitled “Data Privacy Day 2023: Recognizing work done and what’s next”. It provided information about a number of initiatives aimed at strengthening privacy in the US and EU. These included establishing TikTok US Data Security:

an independent business entity tasked with managing all business functions that require access to user data identified by the US government as needing additional protection and safeguarding the systems that deliver content on the app in the US to ensure that it is free from foreign manipulation.

Meanwhile, on the other side of the Atlantic, TikTok established a data center in Dublin to minimize data transfers outside the EU. More recently, this has been expanded as Project Clover:

a program focused on creating a secure enclave for European TikTok user data. This initiative will introduce a number of new measures to strengthen existing protections and further align our overall approach to data governance with the principle of European data sovereignty.

In response to continuing concerns about TikTok’s privacy policies, the company wrote a post called “Mythbusting: The Facts On Reports About Our Data Collection Practices” in February 2023 and another in June 2023 called “TikTok Truths: A new series on our privacy and data security practices.” Most recently, it has explained how it is complying with the new EU Digital Services Act, including the creation of a European Online Safety Hub.

These high profile moves indicate how central protecting privacy has become to TikTok’s services. The latest GDPR fine from the DPC will doubtless encourage the company to continue its work in this area, which has to be good news for all its users as it continues to grow and expand into new areas.

Featured image by TikTok.