TikTok – €345,000,000 Fine (Ireland, 2023)

In 2021, the Dutch and French DPAs asked the Irish DPA to provide mutual assistance pursuant to Article 61 GDPR in the context of the processing activities undertaken by TikTok, the controller. The Irish DPA was Leading Supervisory Authority (LSA) under Article 56 GDPR. TikTok allegedly processed personal data of children in lack of sufficient identification mechanisms and implementing user settings that were not private. In particular, TikTok did not identify children under the age of 13 and made social media contents of all minors public-by-default. National procedure leading to the Irish Draft Decision First, the Irish DPA assessed whether TikTok’s default settings complied with the principles of data minimisation (Article 5(1)(c) GDPR), integrity and confidentiality (Article 5(1)(f) GDPR) and privacy by design and by default (Article 25 GDPR). These principles should be complied with by means of appropriate technical and organisational measures (Article 24 GDPR). The Irish DPA noted that new TikTok users were presented with a pop-up window where they could choose between ‘Go Private’ or ‘Skip’. If the user decided to skip, their account was made public by default. The DPA also stressed that TikTok’s privacy policy lacked transparency concerning the processing of minors’ data. Therefore, the controller violated the above-mentioned provisions. Second, the DPA examined whether age verification mechanisms were sufficient to guarantee compliance with the same provisions mentioned above. TikTok asked users to confirm their date of birth via an age gate. Children who used a date of birth that showed they were less than 13 were blocked and did not have a second opportunity to create an account. TikTok did not require ID documents (‘hard identifiers’) to be uploaded. However, TikTok declared to have removed children below 13 after reports by other users. Aware of that fact that no age verification mechanism is sufficient to fully guarantee that children below 13 do no