Posted: August 7, 2023 by Pieter Arntz
The European Data Protection Board is expected to fine TikTok for violating the privacy of young children within the next four weeks.
The European Data Protection Board said a binding decision has been reached over TikTok's processing of children’s data, after the ByteDance-owned app submitted legal objections to an earlier ruling in Ireland, the home of the company’s European headquarters. The size of the fine is not yet known but will surely be in the millions of Euros.
This proceeding started in 2021, when the Dutch DPA imposed a fine of € 750,000 ($820,000) on TikTok. The main reason was that the information provided during the installation and usage of the app was in English and thus not readily understandable, especially for children. Not offering their privacy statement in Dutch was an infringement of privacy legislation by itself, because users have a right to be given a clear idea of what happens with their personal data.
The results of the Dutch investigation were handed to the Irish Data Protection Commission. Initially TikTok did not have its head office in Europe but in the course of the Dutch investigation, TikTok established operations in Ireland. If a company does not have its headquarters in Europe, any EU member state can engage in oversight with regard to its activities. In the case of companies that do have their headquarters in Europe, this responsibility would fall mainly to the country where the headquarters are located.
The following investigation by the data protection commissioner in Ireland into TikTok’s level of compliance with its general data protection regulation (GDPR) and how it handles the data of children between the ages of 13 and 17, brought to light problems regarding TikTok’s processing of children’s personal data, and age verification measures for children under 13.
In April of 2023, TikTok was ordered to pay a fine of £12.7M ($15.6M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The Information Commissioner's Office (ICO), the UK's data protection watchdog, imposed the fine after finding the company used children's data without parental consent. According to the ICO, many children were able to access the site despite TikTok setting 13 as the minimum age to create an account. This exposed them to vulnerabilities and inappropriate content. According to the ICO, the company may have used the data for tracking and profiling purposes. It may have also presented children with content deemed potentially harmful or inappropriate.
To improve compliance with new European Union regulations on content TikTok announced a number of new features for European users:
“We will continue to not only meet our regulatory obligations, but also strive to set new standards through innovative solutions.”
In the US TikTok has received a lot of criticism in the last few years as well. Among other things it's been called an "unacceptable security risk" by the commissioner of the FCC and was accused of gathering data on people who don't even use the app by a US consumer non-profit.
In April we explained what was going on and whether you had reasons to be worried from an organizational standpoint. The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern.