Ireland’s data regulator has slapped a €345 million fine on TikTok for violating children’s privacy on its video-sharing app, after finding adults could enable direct messages for certain teenagers with whom they had no family connection.
The case against the Chinese-owned tech giant also showed how TikTok’s “family pairing” feature could link children’s accounts to “unverified” adults who were not their parents or guardians.
“The decision further details that non-child users had the power to enable direct messages for child users above the age of 16, thereby making this feature less strict for the child user,” said the office of Data Protection Commissioner (DPC) Helen Dixon.
In an investigation raising serious concerns over an app used by more than a billion people, TikTok was reprimanded for multiple breaches of EU data law in relation to teenagers and criticised for failing to protect preteens.
TikTok has been growing rapidly after the three-minute limit on viral dance videos, comedy skits and lip-sync routines proved a worldwide hit.
But in a case highlighting “risks” to TikTok’s young users, Ms Dixon examined how children signed up to the app “in such a manner that their accounts were set to public by default” on the system.
“This also meant that, for example, videos that were posted to child users’ accounts were public by default, comments were enabled publicly by default, the Duet and Stitch features were enabled by default,” Ms Dixon’s office said. These two features allow users to incorporate videos from other creators into their posts.
The decision also said the company “did not properly take into account” the risks posed to children under 13 who gained access to the app by the default account setting, allowing anyone on or off TikTok to view content they posted.
Ms Dixon initiated a “large-scale” investigation two years ago into TikTok, which employs 3,000 people in Ireland. The inquiry centred on EU law breaches in July-December 2020, although TikTok said it cut the offending features long ago.
The Irish regulator has issued “an order requiring [TikTok Technology Ltd] to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified” to the company, which happened on September 1st.
The ruling met a frosty response from TikTok. “We respectfully disagree with the decision, particularly the level of the fine imposed,” the company said in a Friday statement from its London office.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
TikTok’s spokesman said “we are evaluating our next steps” when asked whether it would appeal the DPC ruling in the High Court.
In addition to the fine for eight breaches of European law over children’s data, TikTok is under separate DPC investigation for personal data transfers to China in a case examining whether it met legal requirements for transfers to third countries.
Ms Dixon has sweeping powers under Europe’s general data protection regulation (GDPR) to supervise the pan-European operations of large tech groups such as TikTok that have their EU headquarters in Ireland.
The TikTok fine follows a succession of huge GDPR penalties against Facebook owner Meta and its subsidiaries, which now total some €2.5 billion. Meta has appealed such rulings.
When it was introduced five years ago, the GDPR regime was billed as a significant step in the drive to control how businesses exploit consumers’ personal information, although critics say enforcement should be sharper and swifter.
Penalties proposed by the Irish regulator must be approved by fellow regulators who sit with her in the Brussels-based European Data Protection Board.
Just as many of Ms Dixon’s draft rulings against Meta were challenged in the European board, the sanction against TikTok met resistance and was settled only after a dispute resolution procedure.
The objectors in this case were Italy’s national regulator and two regional German bodies, although Ms Dixon’s office said there was “broad consensus” on her original proposal.
The European board directed Ms Dixon to amend the draft decision to include a new GDPR infringement of the principle of fairness and to extend a compliance order on TikTok processing to embrace that finding.