In a landmark decision, Irish authorities have levied an unprecedented fine of €345m (£296m) against TikTok, holding the social media giant accountable for infringing upon children’s privacy rights. This punitive action relates to the manner in which TikTok managed minors’ data during the year 2020, with specific emphasis on its age verification process and privacy norms.
This fine represents the heftiest financial penalty that TikTok has faced hitherto from regulatory bodies. However, despite the looming financial burden, the social media firm displayed disagreement with the verdict, especially concerning the severity of the fine.
The firm highlighted that the debated features and settings, which were instrumental in the violation, were altered well before the scrutiny started. For instance, accounts belonging to anyone aged under 16 were set to private by default.
The fine was imposed by the Ireland’s Data Protection Commission (DPC) in accordance with the EU’s General Data Protection Regulation (GDPR) privacy law. This legislation outlines a stringent protocol that organisations must adhere to in their handling of data.
After a detailed investigation, the DPC concluded that TikTok’s level of transparency regarding its privacy settings was insufficient and that there were uncertainties around how the children’s data were being treated.
Data Protection Commissioner, Helen Dixon, pointed out that the design of TikTok’s platform not only ensured that accounts made by individuals aged 13 to 17 were auto-set to public upon registration, but also made their posted content accessible to a global audience. In doing so, the company allegedly violated the design and default requirements stipulated by GDPR.
Following the decision, TikTok has been granted a window of three months to overhaul its data processing methodologies so they are completely in sync with GDPR.
Prof. Sonia Livingstone of the London School of Economics and Political Science, an expert researching children’s digital rights, effusively welcomed the ruling.
Livingstone highlighted the imperative for digital platforms to be clear about their data policies and to honour their commitment to keeping the user data secure, which she deemed to be a child’s inalienable right.
In addition to this case, TikTok is currently under investigation for potentially illegal data transfer from the EU to China. It is noteworthy that TikTok’s parent company, ByteDance, is based in Beijing.
Although the fine seems hefty, it pales in comparison to some recent sanctions, such as the €1.2bn (£1bn) fine imposed on Meta by the same regulatory body in May for improperly managing users’ data during transatlantic transfers.
Despite being significantly higher than the £12.7m penalty incurred from the UK regulatory body in April for permitting children under 13 to use its platform in 2020, the DPC’s fine is specifically in relation to TikTok’s actions during that same year.
In an attempt to comply with these regulations, TikTok has implemented several corrective measures in recent years, such as becoming among the first social media platforms to make accounts of 13 to 15-year-olds private by default in January 2021. Moreover, it plans to introduce a change later this month which will mandate that accounts of all 16 and 17-year-olds signing up to the platform be set to private by default.