TikTok Fined $368 Million in Europe

The Irish Data Protection Commission (DPC) has announced a substantial fine of €345 million (approx. $368 million) against TikTok following an extensive investigation into its data processing practices.

The DPC initiated this voluntary inquiry to assess TikTok’s compliance with the General Data Protection Regulation (GDPR) concerning the personal data of child users on the platform.

The inquiry focused on several aspects, including TikTok’s default platform settings and its ‘Family Pairing’ feature, as well as age verification during registration. Additionally, the DPC examined TikTok’s transparency obligations, particularly in relation to default settings for child users.

After concluding its investigation, the DPC submitted a draft decision to various Supervisory Authorities Concerned (CSAs) on September 13, 2022.

The draft decision highlighted several GDPR violations, including infringements of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), and 13(1)(e). While there was general agreement on the findings, objections were raised by the Supervisory Authorities of Italy and Berlin.

Berlin’s Supervisory Authority requested the inclusion of an additional violation related to the GDPR principle of fairness, specifically concerning ‘dark patterns.’

On the other hand, the Italian Supervisory Authority sought to reverse the DPC’s finding of compliance with Article 25 of GDPR regarding TikTok’s approach to age verification during the Relevant Period.

These objections led to a deadlock, prompting the DPC to refer the matter to the European Data Protection Board (EDPB) for resolution under Article 65 of GDPR.

The DPC’s final decision, dated September 1, 2023, records multiple GDPR violations. As a result, TikTok faces severe consequences, including a reprimand, a three-month deadline to bring its processing practices into compliance, and a staggering administrative fine.

More information about the decision is available on the EDPB website here.