On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. This decision by the DPC reflects the binding decision of the European Data Protection Board (the “EDPB”) pursuant to Article 65 of the GDPR.
The DPC’s investigation focused on how TikTok processed the data of children between July 31, 2020 and December 31, 2020. In its decision, the DPC considered that TikTok:
- infringed the principles of data minimization (Article 5(1)(c)) and data protection by design and by default (Article 25), and its obligations as a data controller (Article 24), by making child accounts public by default and not adequately considering the privacy risks that this posed for children;
- infringed the principles of security and integrity (Article 5(1)(c)) and data protection by design and by default (Article 25), by setting up its “family pairing” option in a manner that allowed non-child users, who could not be verified as being the parent or guardian, to implement less privacy protective settings in the child user’s account;
- failed to provide adequate information to child users, infringing the rules on transparency and provision of information in Articles 12 and 13 of the GDPR; and
- used dark patterns to nudge child users into selecting more privacy-intrusive settings, infringing the principle of fairness (Article 5(1)(a)). It is important to note that this finding follows an objection raised by the Berlin DPA and upheld by the EDPB, and was not included in the DPC’s original findings.
In addition to the fine, the DPC also issued a reprimand and an order for TikTok to bring its processing into compliance within three months of the date on which it was notified of the decision.