Ireland
TikTok Limited
GDPR enforcement action by Data Protection Authority of Ireland on 2023-09-01.
Case details
- Authority
- Data Protection Authority of Ireland
- Date
- 2023-09-01
- Controller / Processor
- TikTok Limited
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 5 (1) c), 5 (1) f) GDPR, Art. 12 (1) GDPR, Art. 13 (1) e) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Irish DPA (DPC), has imposed a fine of EUR 345 million on TikTok Limited. The DPC conducted an investigation primarily focused on the processing of personal data between July 31, 2020, and December 31, 2020. During their investigation, the DPC found that the profiles of child users were set to public access by default. As a result, the DPC concluded that TikTok had failed to implement appropriate technical and organizational measures to ensure that only necessary personal data was being processed.
Furthermore, the DPC noted that the "Family Pairing" feature, which allowed non-child users to link their accounts with those of child users, posed a security risk to the personal data of children.
Additionally, TikTok failed to provide child users with information about the categories of recipients of their personal data and clear, understandable information on the scope and implications of data processing.
The DPC also found that TikTok introduced so-called "dark patterns," leading users to frequently opt for less privacy-friendly options during registration and when posting videos on the platform. In addition to the fine, the DPC issued an order requiring TikTok to bring its processing activities in line with the GDPR within three months.
Related fines