TikTok is facing a big fine within weeks for violating children’s privacy on its video-sharing app, with the penalty likely to be measured in the hundreds of millions of euro.
The Chinese-owned company, which employs more than 3,000 people in Ireland, has been under “large-scale” investigation for two years in a case centred on the processing of children’s personal data.
TikTok claims more than 1 billion users worldwide after the three-minute limit on viral dance videos, comedy skits and lip-sync routines proved a hit with users of its app.
[ TikTok plan to close cafe to public at Dublin office ‘undesirable’, says councilOpens in new window ]
In addition to fines for breaching children’s privacy, TikTok faces a separate investigation into transfers of personal data to China and whether it complied with requirements under European Union law for transfers of such data to third countries.
Housing in Ireland is among the most expensive and most affordable in the EU. How does that happen?
Ceann comhairle election key task as 34th Dáil convenes for first time
Your EV questions answered: Am I better to drive my 13-year-old diesel until it dies than buy a new EV?
Workplace wrangles: Staying on the right side of your HR department, and more labrynthine aspects of employment law
In the investigation into children’s data, a dispute over penalties proposed by Irish data protection commissioner Helen Dixon was settled yesterday at a Brussels meeting of European regulators.
The move has cleared the way for the fine to be imposed on TikTok within one month. “The EDPB [European Data Protection Board] adopted a dispute resolution decision,” said a statement on the case from the board
The size of the TikTok sanction is considered likely to be in line with certain penalties against Facebook owner Meta for breaches of Europe’s general data protection regulation (GDPR), a 2018 law to toughen scrutiny over the exploitation of personal data by business.
Meta operations were fined €225 million in 2021 for GDPR breaches before regulators sharply escalated penalties, with total fines against that company now at €2.5 billion. Meta has appealed such fines.
But the scale of Meta penalties under the EU privacy regime has set precedents for the TikTok case as regulators seek to hold Big Tech companies to account for their use of personal data.
“We’ve yet to receive the final decision so we’re not in a position to comment,” said TikTok when asked about the case and whether it expected the fine to reach hundreds of millions of euro.
The GDPR regime was billed as a game-changer in the drive to control how business exploits consumers’ personal information, although critics say enforcement should be sharper and swifter.
The GDPR gave Ms Dixon sweeping powers to supervise the pan-European operations of large tech companies such as TikTok, which have their EU headquarters in Ireland. However, penalties she suggests must be approved by fellow regulators who sit with her in the EDPB.
Just as many of the penalties she proposed against Meta were challenged in the European board, the sanction against TikTok met resistance and was settled only after a dispute resolution procedure. The objectors in this case were Italian and German regulators.
[ Who’s afraid of TikTok? ‘The main concern should be about privacy more generally’Opens in new window ]
[ Finn McRedmond: The tragic irony of the TikTok therapistOpens in new window ]
There was no comment from Ms Dixon’s office after an EDPB statement said it made a binding decision to address “legal questions arising from objections” to her draft decision. “The EDPB binding decision ensures the correct and consistent application of the GDPR by the national [data protection authorities],” it said.
The case dates to September 2021. It centres on TikTok platform settings in relation to child users’ personal data, concentrating on “public-by-default processing of such platform settings in relation to users under age 18 accounts and age verification measures for persons under 13″.
The investigation also examined whether TikTok complied with the GDPR transparency obligations in the context of the processing of personal data of users under age 18.
In a demonstration of the slow pace of decision-making at the European board, Ms Dixon’s draft decision on TikTok was submitted to fellow regulators last September.