European regulators fined TikTok roughly $368 million on Friday in a landmark decision over the short-form video-sharing platform’s failure to protect children’s privacy.
The Irish Data Protection Commission (DPC), the primary privacy regulator overseeing major tech firms with their European bases predominantly in Dublin, announced the fine and reprimand against TikTok, citing violations dating back to the latter half of 2020.
The DPC initiated an own-volition inquiry into TikTok’s data practices, examining the period from July 31, 2020, to Dec. 31, 2020. The investigation revealed several significant breaches in TikTok’s handling of children’s data.
Notably, the sign-up process for teenage users resulted in default settings that made their accounts public, allowing unrestricted viewing and commenting on their videos. These default settings also posed a risk to children under 13, who gained access to the platform despite age restrictions.
The “family pairing” feature, designed for parental control over settings, was found to be inadequately stringent, permitting adults to enable direct messaging for users aged 16 and 17 without their consent. Furthermore, TikTok was criticized for “nudging” teenage users toward more “privacy-intrusive” options during sign-up and video posting.
TikTok responded to the DPC’s decision, expressing disagreement, particularly with the magnitude of the fine.
The company noted that many of the regulator’s criticisms pertained to features and settings that were modified well before the investigation commenced in September 2021. TikTok had already taken steps, including making all accounts for users under 16 private by default and disabling direct messaging for 13- to 15-year-olds.
The company outlined additional privacy enhancements it has implemented, including “tighten[ing]” the options for commenting on videos created by 13 to 15-year-olds, offering choices limited to “Friends” or “No One,” and removing the “Everyone” option.
“We changed the ‘Duet’ and ‘Stitch’ settings so that nobody on TikTok could use these features with any content created by those under the age of 16 (for 16 and 17-year-olds, these features were set to ‘Friends’ by default); and we made the ’Suggest your account to others’ setting ‘Off’ by default for 13 to 15-year-olds,” Ms. Fox said.
The Irish regulator has faced criticism for the pace of its investigations into major tech companies since the implementation of EU privacy laws in 2018. For TikTok, objections from German and Italian regulators to parts of a draft decision issued a year ago further delayed the process.
In an effort to streamline regulatory enforcement and foster digital competition while ensuring stringent oversight of social media content, the Brussels headquarters of the 27-nation bloc has been tasked with enforcing new regulations.
Responding to initial objections from German authorities, the top panel of European data regulators stated that TikTok had employed pop-up notices that failed to present choices to teen users in a neutral and objective manner.
Additionally, the Irish watchdog investigated TikTok’s measures to verify user ages and concluded that they did not breach any rules.
Meanwhile, the regulator is conducting a separate inquiry into whether TikTok complied with the EU’s General Data Protection Regulation when transferring users’ personal data to China, where its parent company, ByteDance, is headquartered.
TikTok has faced allegations of posing a security risk due to concerns that sensitive user information could end up in China. To address these concerns, TikTok recently opened a data center in Dublin, the first of three planned for the continent, as part of a project to localize European user data.
Notably, data privacy regulators in Britain, which exited the EU in January 2020, fined TikTok £12.7 million ($15.7 million) in April for mishandling children’s data and violating other safeguards for young users’ personal information.
In recent times, Instagram, WhatsApp, and their parent company, Meta, have also faced substantial fines from the Irish regulator, further underscoring the increasing scrutiny and enforcement of data protection laws in the tech industry.
