TikTok has been hit with a €345 million EU fine over the way it processes the personal data of children and teenage users, the first handed out by the bloc to the Chinese-owned social media platform.
Ireland’s Data Protection Commission, the regulator responsible for holding TikTok Technology to EU data protection law, announced the fine on Friday after an investigation that began in September 2021.
The DPC’s probe found TikTok had infringed EU data protection rules by setting the profiles of children aged 13-17 to default to a public setting, meaning anyone on or off TikTok could view their content and contact them.
TikTok, which set up an office in Ireland in 2020 and this month opened a long-planned site in Dublin to store EU citizens’ data, was investigated by the DPC over its compliance during the period July 31, 2020, to December 31, 2020.
The fine is the latest against social media platforms for lax privacy protections and comes as the DPC is finalizing an investigation into TikTok over data transfers to China.
Meta, the owner of Facebook, this year was handed a record €1.2 billion fine and ordered to suspend transfers of user data to the US. Meta’s Instagram app was fined €405 million by the DPC in September 2022 for failing to safeguard children’s data.
TikTok, which has 134 million monthly EU users, failed to provide child users with enough transparency over what was happening to their data and nudged them toward more privacy-intrusive options, the DPC said. TikTok does not say how many of its users are children.
In addition, under a family pairing setting, it could not be verified that the adult paired with a child’s account was the parent or guardian, and that adult was able to allow over-16s to access direct messaging features, the DPC said.
The social media app, which is owned by Beijing-based ByteDance, said it had changed its policy on most of the issues covered well before the investigation began and had not yet decided whether to appeal.
“We respectfully disagree with the decision, particularly the level of the fine imposed,” a TikTok spokesperson said.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default,” the spokesperson added.
In a statement, Elaine Fox, TikTok’s head of privacy for Europe, said the platform would “continue to strengthen protections for teenagers.”
The DPC was ordered by the European Data Protection Board, the independent umbrella authority for the sector, to toughen the initial decision it had reached last year, following objections raised by the Italian and German data protection bodies. But the level of fine remained unchanged.
TikTok has three months to comply with the ruling.
The DPC expects to share its draft findings on its investigation into TikTok data transfers to China with other European data protection agencies by the end of this year.
© 2023 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.