Irish watchdog fines TikTok €345M for mishandling kids' data

The Irish Data Protection Commission has fined TikTok €345 million ($367 million) for breaking European law over how it processed children's data.

The decision, which says the video app broke several GDPR rules, comes after an investigation that first began in 2021 when European authorities began looking into whether TikTok's age verification protocols were tight enough to keep children under 13 out.

A TikTok spokesperson told us: "We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC's criticisms are focused on features and settings that were in place three years ago, and that we made changes well before the investigation even began, such as setting all under 16 accounts to private by default."

During the year of the probe, TikTok itself removed over 7 million accounts suspected of belonging to underage kids. Children aged 13 and above are allowed to use the platform, which is massively popular with teens. However, it lacked age verification controls, something that was a concern of Italy's data protection authority.

European Data Protection Supervisor steps in

Italy – along with Germany's watchdog – lodged an objection against an earlier draft decision issued by the Irish regulator, the lead supervisory authority for the probe.

The European Data Protection Supervisor (EDPS) resolved that spat between the member state regulators last month, clearing the way for this week's announcement, nearly a year after Ireland's original draft decision.

Italy had wanted to reverse the DPC's proposed finding that TikTok had complied with Article 25 GDPR (data protection by design) with regards to age verification. Meanwhile, an objection raised by the Berlin authority sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards "dark patterns" – methods by which a vendor might manipulate a consumer into making decisions to do with the product.

But the EDPB didn't agree with Italy, and didn't order an infringement for lack of age verification. The Irish DPC said in a statement that while its final "decision does not establish a violation of Article 25 as regards TikTok's age verification methods, the DPC decision does record a finding of infringement of Article 24(1) GDPR as regards TikTok's consideration of the certain risks posed to those under 13s who did gain access to the TikTok platform."

It said TikTok broke the rules during the relevant period in 2020 because it did not properly take into account the risks posed to those under 13 who gained access to the TikTok platform by the default account setting, which allowed anyone (on or off TikTok) to view social media content posted by those users.

The dark patterns breach suggested by the Berlin authority did stick, however, with the EDPS telling the Irish DPC to amend its draft decision to include a new finding of infringement of the GDPR principle of fairness because of the inclusions of dark patterns.

The decision describes "in some detail how child users progressed through the sign-up to the TikTok platform in such a manner that their accounts were set to public by default and risks associated with such data processing for child users," the DPC noted.

Besides coughing up nearly half a billion, TikTok parent ByteDance will also have to "bring its processing into compliance" with the law within three months of the decision, said the DPC.

• Ireland's privacy watchdog fines WhatsApp €5.5 million
• Europe's tough new rules for Big Tech start today. Is anyone ready?
• Ireland fines Meta $414m for using personal data without asking
• Meta fined $275m after data-scraping fiasco leaked 533m Facebook users' profiles

TikTok has been under fire for years over concerns about ByteDance's data collection policies. A certain orange-hued former president banned the app in his administration over the possibility it was a national security threat, alleging it was feeding data to the Chinese Communist Party. India, Pakistan, Indonesia, and Bangladesh also had concerns. A Citizen Lab report said at the time said it was "no worse than Facebook for privacy" – which is perhaps damning it with faint praise.

TikTok has always denied that it is beholden to China's government, that it would share data with the Chinese government, and that it conducts surveillance via its app.

It had previously settled several privacy class actions in the US for $92 million.

It has also been banned for use by US Department of Defense contractors. Earlier this year, the UK government stopped ministers and officials from using TikTok on their work devices as a "precautionary" measure over worries the app is used to snoop on Brits. Not in time to stop former digital secretary Nadine Dorries from doing a TikTok rap, though. ®