Irish Data Protection Commission Announces €345 Million Fine Imposed on TikTok

The Irish Data Protection Commission (DPC) has concluded its inquiry into TikTok Technology Limited (TTL), resulting in a substantial fine of €345 million for the social media giant. The investigation revolved around TikTok's handling of personal data related to child users during a specified period.

The DPC launched this inquiry voluntarily to scrutinize TikTok's compliance with the General Data Protection Regulation (GDPR) between July 31, 2020, and December 31, 2020. Specifically, the investigation assessed TikTok's adherence to GDPR concerning:

1. Platform Settings: This encompassed examining TikTok's default settings, especially the public-by-default settings, and the features associated with 'Family Pairing.'
2. Age Verification: The investigation evaluated TikTok's age verification procedures implemented during the registration process.

The DPC's examination also included an assessment of TikTok's transparency obligations, with a focus on the information provided to child users regarding default settings.

Upon concluding its investigation, the DPC submitted a preliminary decision on September 13, 2022, to the relevant Supervisory Authorities Concerned (CSAs), as outlined in Article 60(3) of the GDPR. The DPC's draft decision indicated violations of several GDPR articles, including Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), and 13(1)(e), concerning the aforementioned data processing activities. While there was general agreement among the CSAs on these findings, objections were raised by the Supervisory Authorities of Italy and Berlin.

The Berlin Supervisory Authority contested the absence of a finding related to the GDPR's fairness principle (Article 5(1)(a)) concerning 'dark patterns.' Simultaneously, the Italian Supervisory Authority objected to the DPC's determination of TTL's compliance with Article 25 of the GDPR, particularly concerning age verification procedures during the specified period.

Due to the lack of consensus regarding these objections, the DPC referred the matter to the European Data Protection Board (EDPB) for resolution, following the GDPR's Article 65 dispute resolution mechanism.

The EDPB issued its binding decision on August 2, 2023, instructing the DPC to include a new finding of infringement related to the fairness principle (Article 5(1)(a)) as per the Berlin SA's objection. Additionally, the EDPB directed the DPC to expand the scope of the existing corrective order to address this new violation adequately.

Subsequently, on September 1, 2023, the DPC released its final decision. This decision found TikTok Technology Limited in violation of several GDPR articles, including Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e), and 5(1)(a). In response, the DPC imposed the following corrective measures:

1. Reprimand: TikTok received an official reprimand from the DPC.
2. Compliance Order: TikTok was mandated to rectify its data processing practices within three months from the date of the DPC's decision notification.
3. Substantial Fine: TikTok faces administrative fines totaling €345 million as a result of these GDPR violations.

This landmark decision underscores the significance of GDPR compliance and serves as a notable example of regulatory authorities taking robust action to protect user data and privacy rights.