TikTok data failures show app is a 'clear danger' to Irish children

The fine was imposed on TikTok Technology Limited (TTL) by the Data Protection Commission (DPC) after an investigation which focused on the company’s processing of personal data relating to child users, under the EU’s General Data Protection Regulation. The period under investigation was July 31 to December 31, 2020.

The ruling related to “the processing of personal data of registered TikTok platform users who are aged between 13 and 17 years old in connection to certain design practices, as well as certain issues relating to children under the age of 13”, according to the Data Protection Commission.

Instagram was fined €405m last year over its handling of teenagers’ personal data.

In the UK earlier this year, the Information Commissioner’s Office fined TikTok £12.7m (€14.8m) because it “did not do enough” to make sure underage children were not using its platform and ensure their data was used correctly.

Responding to the latest development, CyberSafeKids chief executive Alex Cooney said: “Whilst we acknowledge that TikTok continues to make improvements to its service for child users, we believe this fine is appropriate and proportionate given the billions in profit that TikTok makes annually.

“They need to do much more to address the issue of underage users on their platform and to protect child users from harmful content. Our most recent data shows that 37% of 8-12-year-olds are using TikTok, so the platform’s failings represent a clear danger to a large number of Irish children.”

A DPC spokesman said its decision was reached on September 1 and TikTok has 28 days to appeal.

A TikTok spokesperson said: “We respectfully disagree with the decision, particularly the level of the fine imposed. 

The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default.

Among the issues highlighted in the ruling was that child users progressed through the sign-up to the TikTok platform in a manner that enabled their accounts to be set to public by default.

It outlined that as a result, videos posted to child users’ accounts were public by default, with comments enabled publicly by default.

Concerns were also raised about the Family Pairing feature in the video-sharing app, with the DPC highlighting that a child user’s account could be “paired” with an unverified non-child.

TikTok has also been issued with a reprimand by the DPC and an order to comply with action specified by the DPC within three months.

Earlier this year, Facebook parent company Meta Ireland was fined €390m for breaches of EU data privacy rules, one of a number of fines the DPC has imposed on the company.

A €5m fine was imposed on WhatsApp in January over data-protection breaches.

According to the office of the DPC close to €3bn in fines has been imposed by the commission since May 2018 under GDPR.

Many of these fines are outstanding and some are subject to appeals.

“So far, the biggest one we have recouped was a €17m fine on Facebook which was imposed back in 2021. The payment was made in 2021,” a spokesman said.

Twitter had also paid a €450,000 fine in 2021, he said.