TikTok fined €345 million by EU for failing to keep children's data safe

Although a long time has passed, TikTok was finally found to have violated the European Union's General Data Protection Regulation (GDPR) in processing children's data. The video-sharing platform was reprimanded and fined €345 million (approximately $379 million), according to a decision released today by Ireland's Data Protection Commission (DPC). It was also ordered to complete rectification within three months to bring its illegal data processing into compliance.

TikTok was found to have breached the following eight articles of the GDPR: Article 5(1)(a); Article 5(1)(c); Article 5(1)(f); Article 24(1); Article 25(1); Article 25(2); Article 12(1); and Article 13(1)(e) - i.e. is a breach of the lawfulness, fairness and transparency of data processing; data minimization; data security; the responsibility of the controller; data protection by design and by default; and the right of data subjects, including minors, to receive clear notification of data processing; and to receive information about the recipients of their personal data. So that's a pretty exhaustive list of violations.

The decision did not find a breach in TikTok's age verification methods, which has been a flashpoint for TikTok in front of some regional regulators, but the Irish regulator noted that the decision documented a breach of Article 24(1) of the GDPR - as it issued TikTok has not implemented appropriate technical and organizational measures because it has not properly taken into account certain risks posed by children under 13 accessing the platform, as default account settings allow anyone, whether on TikTok or not, to view the social media content posted by these users.

Settings implemented by TikTok at this time were found to have enabled child users to have their accounts set to public by default during the registration process. "This also means that, for example, videos posted to child user accounts default to public videos, comments default to public comments, and 'Duet' and 'Stitch' features are enabled by default," the DPC noted.

Child accounts can also be "matched" with unverified non-child users through the so-called "Family Match" feature, but TikTok does not verify whether the user is actually the parent or guardian of the child user. According to the DPC's findings, non-child users can use the feature to send direct messages to child users over the age of 16 - "thereby making the feature less stringent for child users."