TikTok Hit with 530 Million Euros Fine associated with EU Privacy

The Irish Data Protection Commission (DPC), responsible for the investigation, pointed out that TikTok failed to prove that EU users' data accessed remotely by employees from another country was protected under privacy standards equivalent to those in the EU. Moreover, the probe revealed that TikTok didn’t provide correct information that some data had been stored on foreign servers.

The DPC requested TikTok to complete compliance rectification within 6 months. In response, TikTok stated that it had already utilized the EU's legal framework, specifically the so-called Standard Contractual Clauses, to grant strictly controlled and limited remote access. TikTok also announced its plan to appeal the decision, arguing that the ruling didn't adequately consider the data security measures it introduced in 2023. These measures could independently monitor remote access and ensure that EU users' data was stored in dedicated data centres in Europe and the United States.

A Previous Fine

Notably, TikTok was fined 345 million Euros by the DPC in 2023. The alleged reason was TikTok’s mishandling children's data, which failed to take sufficient steps to protect the personal profiles of 13 to 17-year-old users in 2020. The DPC's investigation indicated below issues.

• Newly registered accounts for were set to "public" by default. This meant that anyone could view these teenagers' videos, profiles, and comments, showing a lack of consideration for minors' privacy and safety risks.
• The "Family Pairing" function, designed to allow parents to monitor their children's TikTok usage, lacked effective verification. It was easy for minors to bypass or misuse this feature, creating management loopholes.
• "Dark Patterns" is used in its setup process, like placing the public option prominently while downplaying more private settings. This misled users into choosing less-secure privacy options, violating GDPR's principles of "data protection by design" and "privacy by default."
• The platform's age-verification mechanism was weak. Despite the rule against children under 13 registering, the system could be easily evaded, enabling many young children to create accounts and access potentially risky content.
• Child users were not fully informed about how their data would be processed under default settings.

Challenges

From the findings by the DPC, quite some other organizations, bigger or smaller, should find similar challenges for full compliance with GDPR or other equivalent regulations. As a solution to systematically address the risks, an organization may seek to establish an information security management system, including protection of privacy information, with certification and periodical audits against ISO 27001:2022 standard.

Meanwhile, Privacy Impact Assessment (PIA) and IT security assessments shall be conducted from time to time to evaluate the associated risks.

DQS related Service

• ISO 27001 Certification service, and
• Privacy Impact Assessment (PIA) service.
• SRAA Service.