The Irish Data Protection Commission (DPC) has fined TikTok €345 million. In its decision adopted on 1 September 2023, it found that the social network was not complying with the obligations of the General Data Protection Regulation (GDPR) regarding the processing of children’s data.
In particular, the DPC found that underage user profiles are public by default. This practice is all the more risky when children under the age of 13 manage to create an account despite being banned from registering on the platform.
In addition, the “family pairing” mode enabling an adult’s TikTok account to be linked to that of a child does not guarantee that the associated adult is a parent or guardian.
Lastly, the DPC believes that the Chinese social network does not provide transparent information to its underage users, while implementing “dark patterns” aimed at encouraging users to opt for more privacy-invasive options.
The DPC’s draft decision was contested by the Italian and Berlin data protection authorities. In particular, the latter successfully lobbied the European Data Protection Board (EDPB) to include “dark patterns” in the final decision.
TikTok has contested the decision, arguing that the features criticised are no longer relevant.
The decision: https://aeur.eu/f/8n6 (Original version in French by Hélène Seynaeve)