TikTok, the popular short video-sharing app, faces a historic $368 million fine in Europe for failing to protect children’s privacy, marking the first time the platform has been penalized for violating the continent’s stringent data privacy regulations.
The Irish Data Protection Commission, responsible for regulating major tech companies with European headquarters predominantly in Dublin, announced a €345 million penalty and a stern rebuke for TikTok’s transgressions, which date back to the latter half of 2020.
The investigation uncovered that TikTok’s registration process for teenage users inadvertently set their accounts to public by default, enabling unrestricted access to view and comment on their videos. These default settings posed a particular threat to children under 13 who managed to access the platform despite age restrictions.
Furthermore, TikTok’s “family pairing” feature, intended to empower parents to manage settings, was deemed inadequate, as it permitted adults to activate direct messaging for users aged 16 and 17 without obtaining their consent. It also steered teenage users towards more invasive privacy options during the sign-up and video posting processes, according to the regulatory findings.
In response to the decision, TikTok expressed its disagreement, particularly with the magnitude of the imposed fine. The company underscored that many of the criticisms raised by regulators pertained to features and settings from three years ago. TikTok asserted that it had proactively implemented changes well before the investigation commenced in September 2021. These alterations included setting all accounts for users under 16 to private by default and disabling direct messaging for those aged 13 to 15.
Elaine Fox, TikTok’s Head of Privacy for Europe, emphasized the irrelevance of most criticisms in the decision, stating, “Most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 — several months before the investigation began.”
Critics have accused the Irish regulator of moving too slowly in its investigations into major tech companies since the implementation of EU privacy laws in 2018. In TikTok’s case, German and Italian regulators had previously disagreed with certain aspects of a preliminary decision issued a year ago, leading to further delays.
To prevent future bottlenecks, the European Union’s 27-nation bloc has entrusted its Brussels headquarters with the task of enforcing new regulations designed to promote digital competition and enhance the oversight of social media content. These rules aim to solidify the EU’s position as a global leader in tech regulation.
The Irish watchdog also evaluated TikTok’s measures for verifying user ages of at least 13, concluding that they did not violate any regulations.
However, the regulator is conducting a separate inquiry into whether TikTok complied with the EU’s General Data Protection Regulation when transferring users’ personal data to China, where its parent company, ByteDance, is headquartered.
Amid concerns that TikTok poses a security risk due to potential exposure of users’ sensitive information in China, the platform has initiated a project to localize European user data. This project includes the opening of a data center in Dublin this month, which marks the first of three such centers planned for the continent.
Other tech giants, including Instagram, WhatsApp, and their parent company, Meta, have also faced substantial fines from the Irish regulator over the past year.
