The Irish Data Protection Commission has announced a €345 million fine of video-sharing, Chinese owned social media giant TikTok.
Their inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020, that the hugely popular video-sharing site complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:
Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature; and
Age verification as part of the registration process.
It found TikTok had contravened GDPR by: placing child users’ accounts on a public setting by default; allowing public comments on those accounts; not checking whether an adult given access to a child’s account on a “family pairing” scheme was a parent or guardian; and not properly taking into account the risks posed to under-13s on the platform who were placed on a public setting.
Users aged between 13 and 17 were steered through the sign-up process in a way that resulted in their accounts being set to public – meaning anyone can see an account’s content or comment on it – by default.
It also found that the “family pairing” scheme, which gives an adult control over a child’s account settings, did not check whether the adult “paired” with the child user was a parent or guardian.
The DPC ruled that TikTok, which has a minimum user age of 13, did not properly take into account the risk posed to underage users who gained access to the platform.
It said the public-setting-by-default process allowed anyone to “view social media content posted by those users”.
The Duet and Stitch features, which allow users to combine their content with other TikTokers, were also enabled by default for under-17s.
However, the DPC found there had been no infringement of GDPR in terms of its methods for verifying users’ ages.
The DPC’s decision, records infringement of Articles of GDPR. The decision further exercises the following corrective powers:
- A reprimand;
- An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and
- Administrative fines totalling €345 million.