The Chinese short-video making app TikTok has been fined 345 million euros ($379 million) by the Irish Data Protection Commission (DPC) for failing to keep kids’ data safe on its platform.
The fine, under the European Union’s General Data Protection Regulation (GDPR), was announced in relation to TikTok’s processing of personal data relating to child users of its platform. TikTok was found to have violated eight articles of the GDPR. As part of the inquiry, the DPC also examined certain of TikTok’s transparency obligations, including the extent of information provided to child users in relation to default settings. The Irish data watchdog now requires TikTok to bring its processing into compliance by taking the action specified within a period of three months.
TikTok said in a statement that it “respectfully disagrees with the decision, particularly the level of the fine imposed”. “The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes well before the investigation even began, such as setting all under 16 accounts to private by default,” the company added. Elaine Fox, TikTok’s head of privacy in Europe, argued in a blog post that the company addressed safety concerns prior to the DPC’s investigation, such as setting accounts of users aged 13-15 private by default. The DPC probe focused on a five month period (July 31, 2020 to December 31, 2020), looking at whether TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users. The probe was initiated in the context of certain platform settings (including public-by-default settings; and settings associated with the “Family Pairing” feature); as well as examining age verification as part of the registration process.