TikTok might be a marketer’s dream but it is also a data protection nightmare, with the EU the latest to whack the business over privacy failings, dishing out a €345m (£269m) fine over the illegal processing of youngsters’ personal data.
The move follows a £12.7m penalty issued by the UK Information Commissioner’s Office in April this year and historic fines in the US, but is the first handed out by the bloc to the Chinese-owned platform.
The original complaint was filed in February 2021 by the largest consumer group in Europe, the European Consumer Organisation (BEUC), whose UK members include Which? and Citizen’s Advice.
The 44 member organisation claimed a major investigation had exposed breaches of consumer rights on a “massive scale”. The main thrust of its complaint was that TikTok’s terms of service were “unclear, ambiguous and favour TikTok to the detriment of its users”.
The Irish Data Protection Commission, the regulator which covers TikTok in the EU, launched an investigation in September 2021. The probe found TikTok had infringed GDPR by setting the profiles of children aged 13 to 17 to default to a public setting, meaning anyone on or off TikTok could view their content and contact them.
On completion of the investigation, the Irish then presented their findings – and proposed penalty – to other EU regulators as is the official procedure.
The DPC was then ordered by the European Data Protection Board to toughen the initial decision, following objections raised by the Italian and German data protection bodies, but the fine remained unchanged.
In the ruling, the Irish DPC said that TikTok failed to provide child users with enough transparency over what was happening to their data and pushed them towards more intrusive options, said Dublin-based DPC.
In addition, under a family pairing setting, it could not be verified that the adult paired with a child’s account was the parent or guardian and that adult was able to allow over-16s to access direct messaging features, the DPC ruled.
In a statement, TikTok owner ByteDance, which is based in Beijing, said it had not yet decided whether to appeal.
The firm added: “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.
Meanwhile, TikTok’s head of privacy for Europe Elaine Fox said the platform would “continue to strengthen protections for teenagers”.
The fine is the latest against social media platforms for lax privacy protections and comes as the Irish DPC is finalising another investigation into TikTok, this time over data transfers to China.
Facebook-owner Meta was slapped with a record €1.2bn fine in May but more importantly was ordered to suspend transfers of user data to the US. At the time, Meta was given five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe.
Meanwhile, Meta’s Instagram was fined €405m by the Irish DPC in September 2022, also for failing to safeguard children’s data.
Related stories
Meta ruling blows US data transfers out of the water
Meta rocked by EU data transfer block and €1.2bn fine
Meta bows to GDPR ruling to block personalised ads
Meta GDPR consent fine €4bn short, says Max Schrems
Revealed: Data breaches which will get the ICO calling
TikTok whacked with £12.7m fine for UK privacy failings
‘Super-regulator’ puts TikTok, AI and adtech on notice
TikTok in the dock again as privacy complaints mount