A European Union regulator hit Chinese-owned social media platform TikTok with a 345-million-euro fine over child data breaches on Friday, in the bloc’s latest salvo against the business practices of tech titans.
The fine, equivalent to $369 million, is the culmination of a two-year inquiry by Ireland’s Data Protection Commission (DPC).
The Irish watchdog, which plays a key role in policing the EU’s strict General Data Protection Regulations, gave TikTok three months “to bring its processing into compliance” with its rules.
The DPC in September 2021 began examining TikTok’s compliance with GDPR in relation to platform settings and personal data processing for users aged under 18 years old.
It also looked at TikTok’s age verification measures for persons under 13 and found no infringement, but found the platform did not properly assess the risks to younger people registering on the service.
The regulator highlighted in its ruling Friday how children signing up had TikTok accounts set to public by default, meaning anyone could view or comment on their content.
It also criticised TikTok’s “family pairing” mode, which is designed to link parents’ accounts to those of their teenage offspring, but the DPC found the company did not verify parent or guardian status.
Ireland is at the centre of the GDPR regime because Dublin hosts the European headquarters of TikTok and the likes of Google, Meta and X, formerly Twitter.
In May, the DPC fined Meta a record 1.2 billion euros for transferring EU user data to the United States in breach of a previous court ruling.
TikTok, a division of Chinese tech giant ByteDance, is extremely popular among young people with 150 million users in the United States and 134 million in the EU.
In response to the fine, TikTok said it “respectfully disagrees” with the verdict and was “evaluating” how to proceed.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default,” a TikTok spokesperson told AFP.
The platform insists that it closely monitors the age of its users and takes action when needed.
TikTok says it deleted almost 17 million accounts worldwide in the first three month of this year due to suspicions that they belonged to people under 13 years old.
Earlier this month, the social media giant opened a long-promised data centre in Ireland, as it tries to calm fears in Europe over data privacy.
GDPR came into force in 2018 and was the EU’s toughest and most famous law on tech, ensuring citizens give consent to the ways in which their data is used.
Friday’s fine comes after the EU last week unveiled a list of digital giants — including Apple, Facebook owner Meta and ByteDance — that will face tough new curbs on how they do business.