Brussels, 15 September – Following the EDPB’s binding dispute resolution decision, the Irish Data Protection Authority (IE DPA) has issued a final decision, finding, in particular, that TikTok Technology Limited (TikTok) infringed the GDPR's principle of fairness when processing personal data relating to children between the ages of 13 and 17. The EDPB's decision was issued on 2 August 2023 and covers TikTok's processing activities between 31 July and 31 December 2020.
Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”
In its binding decision, the EDPB analysed the design practices implemented by TikTok in the context of two pop-up notifications that were shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up. The analysis found that both pop-ups failed to present options to the user in an objective and neutral way.
In the Registration Pop-Up, children were nudged to opt for a public account by choosing the right-side button labelled “Skip”, which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible.
In the Video Posting Pop-Up, children were nudged to click on “Post Now”, presented in a bold, darker text located on the right side, rather than on the lighter button to “cancel”. Users who wished to make their post private first needed to select “cancel” and then look for the privacy settings in order to switch to a “private account”. Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data. Furthermore, the consequences of the different options were unclear, particularly to child users. The EDPB confirmed that controllers should not make it difficult for data subjects to adjust their privacy settings and limit the processing.
The EDPB also found that, as a result of the practices in question, TikTok infringed the principle of fairness under the GDPR. Consequently, the EDPB instructed the IE DPA to include, in its final decision, a finding of this additional infringement and to order TikTok to comply with the GDPR by eliminating such design practices.
The EDPB also assessed whether age verification measures implemented by TikTok between 31 July and 31 December 2020 complied with the requirements of data protection by design (Art. 25(1) GDPR). The EDPB expressed serious doubts regarding the effectiveness of the age verification measures put in place by TikTok during this period, particularly taking into account the severity of the risks for the high number of children affected. Among others, the EDPB found that the age gate deployed by TikTok to prevent child users under the age of 13 from accessing the platform could be easily circumvented and that the measures applied after users gained access to TikTok were not applied in a sufficiently systematic manner.
Based on the elements available in the context of this dispute resolution procedure, the EDPB concluded that it did not have sufficient information, in particular in relation to the state of the art, to conclusively assess TikTok’s compliance with Art. 25 (1) GDPR during this period. However, considering the serious doubts regarding the effectiveness of the measures chosen by TikTok, the EDPB required the IE DPA to reflect this in its final decision.
The IE DPA's final decision incorporates the legal assessment expressed by the EDPB in its binding decision. This decision was adopted on the basis of Art. 65(1)(a) GDPR after the IE DPA, as lead supervisory authority (LSA), triggered a dispute resolution procedure concerning the objections raised by some concerned supervisory authorities (CSAs). These objections outlined the scope of the EDPB’s decision, described above.
The IE DPA’s final decision also includes legal assessment that was not subject to objections by CSAs, such as the finding that the public by default settings were contrary to the principles of data protection by design and default, of data minimisation and transparency. In addition to a reprimand and a compliance order, the IE DPA imposed a fine of €345 Million.
The final decision taken by the IE DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
Editor’s note:
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties. EDPB Binding decisions only address disagreements on a draft decision, which are set out by CSAs in relevant and reasoned objections.