TikTok Fined 345 Million Euros Over Child Data

The Irish Data Protection Commission (DPC) has levelled the largest fine to date for the Chinese owned video-sharing platform TikTok.

On Friday Ireland’s DPC announced that TikTok had breached GDPR child privacy laws between 31 July 2020 and 31 December 2020, and therefore fined the firm 345 million euros (£297 million).

This is not the first financial penalty for TikTok this year. In April the UK’s Information Commissioner’s Office (ICO) fined TikTok £12.7 million for failing to protect the privacy of children aged under 13.

UK fine

The UK fine came amid wider scrutiny of the platform’s data controls, and also allegations that the Chinese-owned social media app did not do enough to check who was using the platform and remove underage accounts.

This led “up to 1.4 million UK children” gaining access to the platform as of 2020, according to the UK ICO’s estimate – even though this was against TikTok’s own policies.

Last September the ICO had warned TikTok of a possible £27m fine.

Irish fine

And now it seems that the Irish DPC has reached its final decision regarding its inquiry into TikTok Technology.

The Irish DPC is the lead regulator in the European Union for many of the world’s top tech firms due to the location of their regional headquarters in Ireland.

The Irish DPC said its inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020, TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform.

The German and Italian data protection watchdogs had objected to the Irish DPC draft decision on the matter. Berlin had objected as it wanted the inclusion of an additional finding of GDPR infringement, while the Italian watchdog sought to reverse the DPC’s proposed finding regarding TikTok’s approach to age verification.

The Irish DPC was unable to reach consensus with the CSAs on the subject-matter, and thus decided to refer the objections to the EDPB (European Data Protection Board) for determination.

The European Data Protection Board adopted its binding decision, with a direction that the Irish DPC must amend its draft decision to include the German objection.

TikTok was therefore issued a reprimand; and ordered to bring its processing into compliance, and the platform was also hit with ‘administrative fines’ totalling €345 million.

The DPC gave TikTok three months to bring all its processing into compliance where infringements were found.

TikTok response

It should be noted that the Irish DPC also has another open investigation into the transferring by TikTok of personal data to China and whether it complies with EU data law.

Meanwhile a spokesperson for TikTok told the BBC it “respectfully disagree[s] with the decision, particularly the level of the fine imposed”.

“The criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default,” the spokesperson reportedly said.

There was no word on whether TikTok plans to appeal the ruling.

Stark warning

The Irish DPC fine of TikTok was noted Antony O’Loughlin, director head of litigation and general counsel at law firm Setfords.

“The €345m fine imposed by Ireland’s Data Protection Commission against TikTok Technology represents another stark warning to technology companies over the need to ensure user privacy, especially in respect of children and young people (as well as vulnerable users),” said O’Loughlin.

“In spite of the claims from TikTok that it has now taken steps to privatise the profiles of child users by default and properly inform them in respect of the accessibility of their profiles online, the level of the fine and the ongoing investigation by the DPC into data transfers by TikTok to China is a reminder that in spite of the sheer size and scope of TikTok, it must still operate within rules and laws designed to protect its most vulnerable users,” O’Loughlin added.