15th September 2023 – (Dublin) TikTok, the booming social media application, has been hit with a substantial €345 million fine by the Irish Data Protection Commission (DPC) for its failure to safeguard children’s personal information. The Chinese-owned app allowed children’s accounts to be publicly accessible by default and did not adequately address the risk of under-13 users accessing the platform, a decision published by the DPC on Friday revealed.
The penalty comes amidst heightened tensions between the European Union and China, following the EU’s announcement of an investigation into Chinese state subsidies for electric cars. European Commission Vice President Věra Jourová is also scheduled to visit China next week for discussions on technology policies, as concerns grow over Beijing’s data gathering and cyber espionage practices.
Helen Dixon, the Irish data protection commissioner, emphasized the severity of the fine, stating, “Alone the fine of [€345 million] is a headline sanction to impose but reflects the extent to which the DPC identified child users were exposed to risk in particular arising from TikTok’s decision at the time to default child user accounts to public settings on registration.”
The DPC found that between July and December 2020, TikTok unlawfully made accounts of users aged 13 to 17 public by default, allowing anyone to view and comment on their videos. The company also failed to properly assess the risks of users under the age of 13 accessing the platform. Additionally, TikTok was found to be using manipulative pop-ups to encourage teenagers to make their accounts and videos public, a practice known as “dark patterns.” The regulator ordered TikTok to rectify these misleading designs within the next three months.
During the latter half of 2020, minors’ accounts were paired with unverified adult accounts, and TikTok had not adequately explained to teenagers the consequences of making their content and accounts public, according to the authority.
In response to the decision, a TikTok spokesperson, Morgan Evans, expressed disagreement, particularly with the level of the fine imposed. Evans stated, “The [Data Protection Commission]’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
TikTok has committed to complying with the order by extending default-privacy settings to the accounts of new users aged 16 and 17 later this month. The company will also implement changes to the pop-up notifications that young users receive when posting their first video within the next three months.
This decision marks the largest-ever privacy fine for TikTok, which is currently being used by 134 million Europeans on a monthly basis. It is also the fifth-largest fine imposed on any tech company under the General Data Protection Regulation (GDPR).
TikTok, known for its popularity among teenagers, has faced previous criticism for insufficiently addressing the potential harms it poses to young users, including viral challenges with dangerous consequences and its addictive algorithm. The platform, along with 18 other online platforms, will now be required to mitigate risks such as cyberbullying or face significant fines under the Digital Services Act (DSA).
The hefty fine adds to TikTok’s challenges in Europe, as it has already faced increased restrictions earlier this year due to concerns regarding its ties to China.
Despite the company’s recent announcement of moving its European data to a centre within the EU, it remains under investigation by the Irish Data Protection Commission for potentially unlawful transfer of European users’ data to China.
The Irish data authority began its probe into TikTok’s compliance with children’s privacy requirements in 2021. Since establishing its legal EU headquarters in Dublin in late 2020, TikTok has been under the supervision of the Irish privacy watchdog across the entire bloc under the GDPR.
Other national regulators, via the European Data Protection Board (EDPB), joined the investigation during the summer after German and Italian privacy agencies disagreed with Ireland’s initial findings. The EDPB instructed Ireland to penalize TikTok for its misleading pop-ups that encouraged users to create public accounts.
The board of European regulators also expressed “serious doubts” about TikTok’s effectiveness in preventing users under the age of 13 from accessing the platform during the second half of 2020. Although the group acknowledged a lack of available information during their cooperation process, they highlighted the ease with which the platform’s age verification mechanisms could be circumvented.
Earlier this year, the United Kingdom’s data regulator fined TikTok £12.7 million (€14.8 million) for allowing children under 13 on its platform and using their data. Additionally, the Dutch privacy authority imposed a €750,000 fine in 2021 on TikTok for failing to protect Dutch children by not providing a privacy policy in their native language.