The background

The main reason for the fine was the infringement of the GDPR’s fairness principle in relation to the processing of personal data of children between the ages of 13 and 17 (“Child Users”). The authority has found that the personal data processing by using the Registration Pop-Up and Video Posting Pop-Up did not comply with the GDPR.

According to the authority, TikTok implemented dark patterns, during the registration process, by presetting accounts to be public-by-default at registration, and the opt-out option to make them private was deceptive. TikTok also failed to properly explain in a way that Child Users could understand that, when making a public account, their personal data would be visible to anyone, including registered and unregistered users as well.

In connection to the Video Posting Pop-Up, similar problem has been found. This pop up enables users to change the video’s privacy settings before posting. During the investigation, it was found that the data controller made it difficult for the users to adjust their privacy settings and limit the processing, making it more likely for users to post videos with their pre-set settings.

Furthermore, the age verification measures implemented by TikTok, in order to filter and block the registration of persons under the age of 13, who are prohibited to use the application, were also investigated. The established process is designed to make the registration process cease and block the user from the app, even after re-installing it, if their age was under 13. However, the individuals had not been informed, that they are blocked because of their age. 

The procedure of EDPB

While the draft decision of the Irish Data Protection Authority found that the pop-ups’ practice has infringed the right to information under the GDPR. However, in the view of the German Data Protection Authority, which was also concerned in this case, the practice also infringed the principle of lawful and fair processing. The draft decision has been submitted to the European Data Protection Board (“EDPB”) in order to resolve the question.

As a result of the investigation, the EDPB concluded that the pop-ups described above have infringed the principle of fairness. This principle means that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. In connection to this case, the EDPB published a binding decision with a direction that the Irish Data Protection Authority must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. In this binding decision, the EDPB echoes a provision made in the past on the elements of this principle.

According to that provision, fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject. Additionally, the same institution had previously stated in first place, that the principle of fairness includes, inter alia, recognising the reasonable expectations of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller.

Therefore, based on the findings of the EDPB, it has agreed, that the principle of fairness has been infringed by the pop-ups, which by taking advantage from the existing imbalance between the company and the Child Users, nudged the users towards choosing more privacy-intrusive options. In the EDPB’s words “Making it harder for data subjects to make a choice in favour of the protection of their personal data”. This led the Child Users to make decisions against their privacy.

What will happen now?

The decision of the Irish Data Protection Authority not only imposed a significant fine on TikTok, but also ordered the company to make its practice compliant with the data protection requirements within 3 months. However, TikTok has the right of an effective remedy against the decision.