Ireland’s DPA fines TikTok €345 million for unfair processing of children’s data

Following the European Data Protection Board’s binding dispute resolution decision, Ireland’s Data Protection Commission (DPC) has today issued its final decision which requires TikTok to bring its processing into compliance in the EU by taking the action specified within a period of three months; and pay administrative fines totalling €345 million.

The decision relates to child users of TikTok, and the company’s infringement of the GDPR’s fairness principle. It was found that TikTok failed to provide sufficient transparency information to child users, and that it implemented ‘dark patterns’. There were also issues regarding platform settings for child users.

“While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised by the Supervisory Authorities of Italy and Berlin (acting on behalf of itself and the Baden-Württemberg SA),” Ireland’s DPC said.

Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”

The decision relates to the processing of data of registered TikTok platform users, who are aged between 13 and 17 years old, in connection to certain design practices, as well as certain issues relating to age verification and other points regarding children under the age of 13.

Tik Tok, which has its EU headquarters in Ireland, says that most of the criticisms are no longer relevant as a result of the changes it has introduced.