TikTok ordered to eliminate unfair design practices concerning children after EDPB binding decision

IRIS 2023-8:1/6

Amélie Lacourt

European Audiovisual Observatory

On 14 September 2021, the Irish Supervisory Authority (SA) started an “own volition inquiry” procedure as regards TikTok Technology Limited (hereafter: TikTok). It addressed, in particular, the processing of users’ (children aged between 13 and 17) personal data in connection to certain design practices, as well as issues relating to access to the platform for children under the age of 13. The Draft decision issued by the Irish SA (the Leading SA – “LSA”) triggered objections from its counterparts, namely the Italian and German SAs (the Concerned SAs – “CSA”), and additional comments from several other CSAs, which led to the submission of the matter to the consistency mechanism.

In its mission to promote and support cooperation among national Supervisory Authorities and to ensure a consistent application and enforcement of data protection law, the European Data Protection Board (EDPB) submitted a binding dispute resolution decision on 2 August 2023, based on Article 60(4) GDPR and Article 65(1)(a) GDPR (Binding Decision 2/2023). The decision covers TikTok’s processing activities between 31 July and 31 December 2020. In principle, such decisions are addressed to the national Supervisory Authorities (SAs) to settle disputes when the LSA and the CSA(s) do not reach an agreement on a cross-border case.

The EDPB decision first addressed the processing of personal data of the registered TikTok platform users aged between 13 and 17. It provided an analysis of the design practices implemented by TikTok, namely of two pop-up notifications: the Registration Pop-Up and the Video Posting Pop-Up. The first one encouraged children to skip the registration process, affecting their privacy on the platform. In the second case, the design of the pop-up window further incited children to post videos by enhancing the button “Post Now” rather than the button “Cancel”. Similarly, the process to make posts private, requiring switching to a private account by clicking on “Cancel”, was not straightforward. The EDPB therefore found that both pop-ups failed to present options to the user in an objective and neutral way, and instead made it harder for them – and particularly for children - to make choices favouring the protection of their personal data. In establishing its decision, the EDPB found that TikTok had infringed the principle of fairness, established under Article 5(1) a) GDPR.

In addition, when assessing whether the platform’s age verification measures complied with data protection requirements by design (Art. 25(1) GDPR), the EDPB expressed serious doubts. According to the Board, the measures put in place a priori by TikTok to prevent children under the age of 13 to access the platform could be easily circumvented, and those applied a posteriori were not applied in a sufficiently systematic manner. Although the EDPB concluded it did not hold sufficient information to assess the platform’s compliance with Article 25(1) GDPR during the said period, it required the Irish Authority to reflect this issue in its decision.

Following the EDPB decision, the Irish Data Protection Authority issued a final decision establishing the infringement of the GDPR by TikTok. The Irish DPA imposed a EUR 345 million fine, in addition to a reprimand and compliance order.