On September 1, 2023, the Irish Data Protection Commission (DPC) issued a 125-page decision regarding Tik Tok, which found several violations and accordingly issued a Fine of EUR 345 million. imposed (Media release). The DPC presents the investigation as follows:
The DPC, as the lead authority, initiated an investigation into TikTok’s data processing on September 14, 2021. The other supervisory authorities were subsequently consulted in accordance with Art. 60 para. 3 GDPR. Objections from the Italian and Berlin authorities could not be resolved by mutual agreement, which is why the EDPB was involved in accordance with Article 65(1)(a) GDPR. On August 2, 2023, the EDPB made a binding decision. This DPC decision is based in part on this EDPB decision.
The subject of the investigation was the processing of personal data of users who of registered persons between the ages of 13 and 17 in the period between July 31 and December 31, 2020 (TikTok is open to persons over the age of 13, and “child” means a person under the age of 18 under the Data Protection Act 2018 (in conjunction with Art. 8 para. 1 GDPR)).
The DPC recognized several violations of TikTok against the GDPR:
- Contents were also for children set to “public” by default. All persons, even those not registered with TikTok, were able to see the corresponding content. Appropriate technical and organizational measures were not in place to ensure that only necessary data was processed by default. This violated privacy by design and the principle of data minimization and led to considerable risks for the children concerned. TikTok had also failed to assess the corresponding risks.
- With a so-called “Family link”, third parties – e.g. parents – could link their account to that of the child. However, the third party could then also Activate direct messaging function for children over 16. This also constitutes a breach of appropriate technical and organizational measures, because there was no apparent reason why the third party could not only apply stricter but also less strict data protection settings.
- TikTok had taken measures to prevent the registration of children under 13. The risk that Children under 13 still have access to the platform had never been assessed in a structured manner. A data protection impact assessment was available, but this risk had been disregarded.
- TikTok had the duty to inform violated. It is true that TikTok informed users that a public account setting gave third parties access to the content (“public”, “everyone”, “anyone”). However, the fact that this did not only apply to other registered users, but that any internet user outside of TikTok could also view content, was not communicated (and terms such as “may” were used that were too vague). The DPC recognized this as a violation of Art. 13 f. GDPR. In contrast, the general Principle of transparency not violated. Following the EDPB, the DPC has a more restrictive understanding of the principle of transparency:
In the particular circumstances, I do not consider that TTL’s informational deficits constitute an infringement of Article 5(l)(a). This is because, while the infringements of Articles 12(1) and 13(l)(e) GDPR are serious in nature, they are not of such a nature that they extend beyond the confines of those specifie articles and are not sufficiently extensive to amount to an overarching infringement of the transparency principle. Specifically, and having regard to EDPB Binding Decision 01/2021, I do not consider that TTL’s informational déficits are of the nature or extent described in EDPB Binding Decision 1/2021 such that it might be said that there has been an infringement of the Article 5(l)(a) GDPR transparency principle itself.
- But the Principle of fairness. The reason was “nudging”: In the account settings, the user could select the “private” option, but was invited to skip the setting (“skip”) in the corresponding settings:
The DPC therefore ordered TikTok to rectify the relevant violations if TikTok had not already done so. The DPC also imposed a Buses of a total of EUR 345 million,
- that for most violations no intent was verifiable, with the exception of the fact that accounts were public by default;
- that, following recital 150 of the The concept of an undertaking under antitrust law is decisive for determining the upper limit for fines (based on global annual turnover). There is a rebuttable presumption that group companies are under uniform management if a group parent company has a direct or indirect decisive influence. Not required is in particular that the parent company a responsible person i.e. determines the specific data processing. The presumption would be rebutted by proof that the company whose infringement is under discussion is acting with “real autonomy”;
- the amount of the total fine results from the fines for the individual infringements. It is therefore not only necessary to determine the most serious offense and increase its fine appropriately, but also the fines for the individual offenses. Violations are to be added together.