Data protection is of central importance in today’s digital world. Platforms aimed at a younger audience bear a particularly heavy responsibility. On 20.09.2023, the Irish Data Protection Commission issued a fine of 345 million euros against social media giant TikTok on behalf of the EU. The accusation: violations of European data protection law, especially in the handling of minors’ data.
Background to the decision
The investigation by the Data Protection Commission found that TikTok had violated European data protection law in its handling of user data of minors. As a result, a fine of €345 million was imposed on the video service.
Criticism by the data protection commission
The central point of criticism by the data protection commissioners is the fact that the profiles of minors as well as their uploaded videos were completely publicly accessible in the default settings of the service. This approach cannot be reconciled with the provisions of the European General Data Protection Regulation (GDPR), which stipulates special protection of minors’ data.
Another problematic aspect is the so-called “family connection” setting. It is possible to link the TikTok account of a minor with that of an adult. However, there is a lack of sufficient verification that the linked account actually belongs to a parent or guardian.
Reaction from TikTok
TikTok has criticised the fine and especially its amount. A spokesperson for the company emphasised that they have made significant changes to the functions and settings in question since 2020. It further pointed out that 17 million accounts have been deleted this year alone, as they were presumably created by children under the age of 13.
Past breaches
This is not the first incident in which TikTok has attracted negative attention when it comes to data protection. In the past, the company has been fined in various countries, including the UK, the Netherlands and the US.
Efforts to improve data protection
Despite the current criticism, TikTok emphasises its efforts to strengthen data protection in Europe. For example, it recently launched “Project Clover” with the aim of storing European user data exclusively in the EU. Data centres in Dublin and Norway are already being planned for this purpose.
In summary, it can be said that the handling of data – especially of minors – must always be done with the utmost care and in compliance with the applicable laws. The TikTok case underlines the importance of data protection measures. It remains to be seen how TikTok will react to this situation and whether other companies will follow suit to reconsider and improve their data protection practices.
