The Irish data protection authorities, who are often accused of negligence, have now imposed a data protection fine on the popular online video service TikTok for negligent handling of minors' data. The amount of the fine is 345 million euros. You can read the background to this here.
Data protection investigations in Ireland
The online video service TikTok is a social media platform that is particularly popular among young people. Its European headquarters are in Ireland. The Irish data protection authorities are said to be particularly lax in monitoring and enforcing data protection regulations compared with other European countries. However, the recent decision by the Irish Data Protection Commission (DPC) to impose a data protection penalty on the TikTok service shows that the Irish data protection authorities can be different.
From the end of July to the end of December 2020, an investigation was conducted by Irish data protection authorities into the handling of user data from minors. In particular, factors such as the age verification of users when they register and default settings in their profiles were examined.
The disturbing result: Posts as well as videos by users between the ages of 13 and 17 could be published for all to see according to default settings. In addition, the comment function of the profiles had been accessible to all other users in the default settings.
Consequence under data protection law: fine
TikTok was requested to adapt its data processing in accordance with the GDPR. For this purpose, TikTok was given a deadline of 3 months and additionally fined.
Even though the amount of this fine sounds very high, it still does not come close to the record high of DSGVO fines. The highest fine in a data protection case to date was imposed on the Facebook group Meta in May this year and amounted to 1.2 billion euros.
What is TikTok doing now?
TikTok commented on the published allegations. In particular, the company emphasized that the results of the investigations would primarily relate to settings that were valid 3 years ago. Thus, the allegations based on updated settings are mostly no longer relevant. For example, the company had already set all accounts of users under the age of 16 to private by default.
As a consequence of the data protection allegations, TikTok also states that it will now build a new data center in Ireland for European users. A new data center is also planned in Norway. The transfer of all European user data there is to be completed by the end of 2024. Then, by default, all European user data will also be stored in the EU.
Under the name "Project Clover," TikTok says it wants to gain trust in Europe. Due to its connection to China, the video app has a difficult political standing in the West. The company now wants to change this, especially by being more transparent with its data.
Conclusion
Violations of data protection law can quickly lead to very high fines.
It is important for companies to maintain a comprehensive overview of how their data is processed. It is irreplaceable to employ professional staff trained in the regulations of the GDPR.
Do you need support on the topics of data protection and data security? Our team of experts will be happy to assist you. Contact us here.
English 
Deutsch 
Español 
Français 
Polski