TikTok facing multimillion-euro fine for violating children’s privacy on app

Platform claims over 1bn users worldwide after three-minute limit on viral videos and lip-sync routines proves a hit with users

The case dates to September 2021 and centres on TikTok's platform settings regarding child users’ personal data. File photograph: Ore Huiying/New York Times
The case dates to September 2021 and centres on TikTok's platform settings regarding child users’ personal data. File photograph: Ore Huiying/New York Times

TikTok is facing a big fine within weeks for violating children’s privacy on its video-sharing app, with the penalty likely to be measured in the hundreds of millions of euro.

The Chinese-owned company, which employs more than 3,000 people in Ireland, has been under “large-scale” investigation for two years in a case centred on the processing of children’s personal data.

TikTok claims more than 1 billion users worldwide after the three-minute limit on viral dance videos, comedy skits and lip-sync routines proved a hit with users of its app.

TikTok plan to close cafe to public at Dublin office ‘undesirable’, says councilOpens in new window ]

Subscriber Only: Bankers are being usurped by TikTok influencers for financial adviceOpens in new window ]

In addition to fines for breaching children’s privacy, TikTok faces a separate investigation into transfers of personal data to China and whether it complied with requirements under European Union law for transfers of such data to third countries.

READ SOME MORE

In the investigation into children’s data, a dispute over penalties proposed by Irish data protection commissioner Helen Dixon was settled yesterday at a Brussels meeting of European regulators.

The move has cleared the way for the fine to be imposed on TikTok within one month. “The EDPB [European Data Protection Board] adopted a dispute resolution decision,” said a statement on the case from the board

The size of the TikTok sanction is considered likely to be in line with certain penalties against Facebook owner Meta for breaches of Europe’s general data protection regulation (GDPR), a 2018 law to toughen scrutiny over the exploitation of personal data by business.

Meta operations were fined €225 million in 2021 for GDPR breaches before regulators sharply escalated penalties, with total fines against that company now at €2.5 billion. Meta has appealed such fines.

But the scale of Meta penalties under the EU privacy regime has set precedents for the TikTok case as regulators seek to hold Big Tech companies to account for their use of personal data.

“We’ve yet to receive the final decision so we’re not in a position to comment,” said TikTok when asked about the case and whether it expected the fine to reach hundreds of millions of euro.

The GDPR regime was billed as a game-changer in the drive to control how business exploits consumers’ personal information, although critics say enforcement should be sharper and swifter.

The GDPR gave Ms Dixon sweeping powers to supervise the pan-European operations of large tech companies such as TikTok, which have their EU headquarters in Ireland. However, penalties she suggests must be approved by fellow regulators who sit with her in the EDPB.

Just as many of the penalties she proposed against Meta were challenged in the European board, the sanction against TikTok met resistance and was settled only after a dispute resolution procedure. The objectors in this case were Italian and German regulators.

Who’s afraid of TikTok? ‘The main concern should be about privacy more generally’Opens in new window ]

Finn McRedmond: The tragic irony of the TikTok therapistOpens in new window ]

There was no comment from Ms Dixon’s office after an EDPB statement said it made a binding decision to address “legal questions arising from objections” to her draft decision. “The EDPB binding decision ensures the correct and consistent application of the GDPR by the national [data protection authorities],” it said.

The case dates to September 2021. It centres on TikTok platform settings in relation to child users’ personal data, concentrating on “public-by-default processing of such platform settings in relation to users under age 18 accounts and age verification measures for persons under 13″.

The investigation also examined whether TikTok complied with the GDPR transparency obligations in the context of the processing of personal data of users under age 18.

In a demonstration of the slow pace of decision-making at the European board, Ms Dixon’s draft decision on TikTok was submitted to fellow regulators last September.

Arthur Beesley

Arthur Beesley

Arthur Beesley is Current Affairs Editor of The Irish Times