European Regulators Fine TikTok $368M Over Failure To Protect Data of Young Users

European authorities have found that Twitter had violated General Data Protection Regulation (GDPR) rules when it comes to how it processes younger users’ personal data. Along with this decision, the regulator has revealed that it has slapped the social network with a €345 million ($368 million) fine, Engadget reported.

As the regulating body where TikTok is headquartered and where its first data center is located, the Irish Data Protection Commission investigated whether TikTok adhered to its privacy protection obligations for users between 13 and 17 years old between July 31 and December 31, 2020.

According to Engadget, the regulator found that TikTok allowed child users’ accounts to be paired with adult users’, without verifying whether that person is their parent or guardian. It even allowed that adult user to enable direct messaging for both of them, when the feature shouldn’t be available for the underage user.

The Guardian reported that the Irish data watchdog, which regulates TikTok across the EU, said the Chinese-owned video app had committed multiple breaches of GDPR rules.

According to The Guardian, the regulator found TikTok had contravened GDPR by: placing child users’ accounts on a public setting by default; allowing public comments on those accounts; not checking whether an adult given access to a child’s account on a “family pairing” scheme was a parent or guardian; and not properly taking into account the risks posed to under-13s on the platform who were placed in a public setting.

The Irish Data Protection Commission (DPC) said users aged between 13 and 17 were steered through the sign-up process in a way that resulted in their accounts being set to public – meaning anyone can see an account’s content or comment on it – by default. It also found that the “family paring” scheme, which gives an adult control over a child’s account settings, did not check whether the adult “paired” with the child user was a parent or guardian.

The DPC ruled that TikTok, which has a minimum user age of 13, did not properly take into account the risk posed to underage users who gained access to the platform. It said the public-setting-by-default process allowed anyone to “view social media content posted by those users.”

TechCrunch reported that TikTok has been found to have violated the following eight articles of the GDPR: – aka breaches of lawfulness, fairness and transparency of data processing; data minimization; data security; responsibility of the controller; data protection by design and default; and the rights of the the subject (including minors) to receive clear communications about data processing; and to receive information on receipts of their personal data.

A TikTok spokesperson sent TechCrunch this statement:

“We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused features and settings that were in place three years ago, and that we made changes to well before the investigation even begun, such as setting all under 16 accounts to private by default.”

In my opinion, it sounds to me like TikTok is trying to absolve itself in the public eye by claiming that the features and settings in its app – that could potentially have harmed children and young teens – had changes made to it. That might be so, but it isn’t going to get TikTok out of having to pay the fine.