According to the Irish regulator, the voluntary inquiry was initiated to assess TikTok's compliance with GDPR obligations concerning the handling of personal data from child users on its platform with a specific focus on platform settings like public defaults, 'Family Pairing,' and age verification during registration
TikTok Technology (TTL) has been imposed an administrative fine of €345m by the Irish Data Protection Commission (DPC) for alleged violations of children’s data.
The DPC opened a probe into the short-form video hosting service in September 2021. The investigation was taken up to examine how the social media platform processed the data of children between 31 July and 31 December 2020.
According to the Irish DPC, the voluntary inquiry was initiated to assess TikTok’s compliance with GDPR obligations concerning the handling of personal data from child users on its platform. It specifically focused on platform settings like public defaults, ‘Family Pairing,’ and age verification during registration.
As part of the inquiry, the DPC also scrutinised TikTok’s transparency obligations, including the information provided to child users regarding default settings.
Recently, upon concluding its investigation, the DPC presented a draft decision to all concerned supervisory authorities (CSAs) as per Article 60(3) of the GDPR.
The DPC’s draft decision outlined findings of infringement of GDPR Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), and 13(1)(e) concerning the processing. Although there was general agreement on the DPC’s proposed findings, objections to the draft decision were raised by the supervisory authorities, specifically those of Italy and Berlin.
The Berlin supervisory authority’s objection aimed to include an additional violation related to the fairness principle (Article 5(1)(a) of GDPR) concerning ‘dark patterns.’
Conversely, the Italian supervisory authority’s objection sought to overturn the DPC’s proposed compliance finding with Article 25 of GDPR regarding TikTok’s age verification approach during the relevant period.
As the DPC could not reach an agreement with the concerned supervisory authorities regarding the objections, it decided to refer the objections to the European Data Protection Board (EDPB) for resolution using the dispute resolution mechanism outlined in Article 65 of GDPR.
In August 2023, the EDPB issued a binding decision. It directed the DPC to revise its draft decision by adding a new infringement finding related to the fairness principle (Article 5(1)(a) of GDPR) raised by the Berlin supervisory authority.
Additionally, the DPC was instructed to expand the existing order to ensure compliance and include actions needed to address this new infringement finding.
In addition to the fine, the Irish DPC reprimanded TikTok and issued a three-month compliance order to rectify its data processing practices.