TikTok Slapped With €345m Fine for Violating EU Data Laws

TikTok has been hit with a staggering €345 million fine by the Irish Data Protection Commission (DPC) for serious infractions of EU data protection laws.

The hefty penalty stems from multiple breaches of the General Data Protection Regulation (GDPR), highlighting the company’s mishandling of children’s accounts and their content.

In a landmark decision, the DPC has found TikTok guilty of several violations, including failing to protect underage users’ content from public view and neglecting to verify the identity of adults accessing children’s accounts.


Default Public Setting: A Breach of Privacy


One of the most significant infringements was TikTok’s practice of automatically setting child users’ accounts to a public setting by default. This meant that the content of underage users was accessible to anyone on the platform, posing significant risks to their privacy and safety.

The DPC found that this process steered users aged 13 to 17 through the sign-up process, leaving their accounts wide open to public scrutiny. Public comments on these accounts further exacerbated the issue, creating an unsafe environment for young users.


Family Pairing Scheme Under Scrutiny


Another area of concern was TikTok’s “family pairing” scheme, designed to give adults control over a child’s account settings. However, the DPC discovered that TikTok did not adequately verify whether the adults “paired” with child users were genuine parents or guardians. This oversight raised serious questions about the platform’s commitment to child safety and privacy.


Inadequate Risk Assessment for Under-13s


TikTok’s negligence extended to its failure to assess the risks posed to users under the age of 13 who were placed on a public setting. This lack of consideration for the youngest users on the platform allowed virtually anyone to view their content, further highlighting TikTok’s shortcomings in protecting children.



Features Enabled by Default


The DPC also scrutinised TikTok’s features, particularly the Duet and Stitch functions, which allow users to combine their content with others. These features were enabled by default for users under 17, potentially exposing them to unwanted interactions and privacy breaches. However, the DPC did not find any GDPR violations related to age verification methods in this context.


TikTok’s Troubles Mount


This substantial fine from the Irish data watchdog comes shortly after TikTok was fined £12.7 million by the UK data regulator for unlawfully processing the data of over 1.4 million children under 13 without parental consent. In this case, the UK Information Commissioner criticised TikTok for not taking adequate measures to verify the age of its users.


TikTok’s Response and Regulatory Disagreements


In response to the DPC’s ruling, TikTok defended itself, stating that the criticisms focused on features and settings that were in place three years ago and had been addressed before the investigation began. TikTok argued that it had already set all accounts for users aged 13 to 15 to private by default since 2021, demonstrating its commitment to rectifying past mistakes.

However, the DPC’s decision didn’t go without controversy. The European Data Protection Board, a consortium of EU member state data and privacy regulators, overruled certain aspects of the DPC’s findings. Notably, the German regulator’s proposal that TikTok’s use of “dark patterns” breached GDPR provisions on fair data processing was included in the final decision, adding a layer of complexity to the case.

In conclusion, TikTok’s colossal fine serves as a stark reminder to tech companies about the importance of safeguarding children’s data and privacy in the digital age. The GDPR violations exposed in this case highlight the need for stringent enforcement of data protection laws to protect the most vulnerable users of online platforms.