[German]The Irish Data Protection Commission (DPC) issued its final decision regarding an investigation into TikTok Technology Limited (TTL) on September 1, 2023. The investigation examined whether the platform had complied with its obligations regarding the processing of children's personal data. A fine of 345 million euros was imposed on TikTok for violating these obligations.
Advertising
As part of an investigation, the DPC was to assess the extent to which TiktTok (TTL) complied with its obligations under the GDPR in relation to the processing of personal data of children using the TikTok platform in the period from July 31, 2020 to December 31, 2020. According to the DPC, this involved:
- Certain settings on the TikTok platform, including default settings for the public and settings related to the Family Pairing feature; and age verification as part of the registration process.
- As part of its investigation, the DPC also examined some of TikTok's transparency obligations (TTL), including the extent of information provided to children regarding default settings.
Upon completion of its investigation, the DPC sent a draft decision within the meaning of Article 60(3) of the General Data Protection Regulation to all relevant supervisory authorities within the EU on September 13, 2022.
The Irish DPC's draft decision proposed findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) of the GDPR in relation to the above processing. While there was broad agreement on the proposed findings of the DPC, the supervisory authorities of Italy and Berlin (on their own behalf and on behalf of the supervisory authority of Baden-Württemberg) objected to the draft decision.
The objection raised by the Berlin supervisory authority aimed at including an additional finding of a breach of the principle of fairness under Article 5(1)(a) GDPR in relation to "dark patterns". The objection raised by the Italian DPC aimed at reversing the DPC's proposed finding of compliance with Article 25 GDPR with respect to TikTok's approach to age verification during the relevant period.
The Irish DPC was unable to reach consensus with the other data protection supervisory authorities (CSAs) on the subject matter of the objections and, in these circumstances, decided to refer the objections to the European Data Protection Board (EDPS) for a decision in accordance with the dispute resolution procedure under Article 65 of the GDPR.
Advertising
The European Data Protection Board (EDPS) took a binding decision on the subject matter of the objections on August 2, 2023 and instructed the DPA to amend its draft decision. A new finding of a breach of the principle of fairness under Article 5(1)(a) of the GDPR had to be included. This stems from the objection raised by the Berlin public prosecutor's office, and expands the scope of the existing order to bring the processing in line with the regulations. Included is a reference to the remedial measures necessary to address this new finding of a breach.
TikTok received a reprimand and an order to put the criticized item in order within three months of notification of the DPO's decision and to take the aforementioned measures. In addition, an administrative fine totaling 345 million euros was imposed on TikTok. Details can be accessed here as a PDF.k verhängt. Details lassen sich hier als PDF abrufen.
