Security Experts:

TikTok fined €750,000 for Violating Children's Privacy

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) announced Thursday that it has imposed a fine of €750,000 on TikTok “for violating the privacy of young children”. More specifically, TikTok failed to provide a privacy statement in the Dutch language, making it difficult for young children to understand what would happen to their data.

The fine stems from a wider investigation that has now been passed to the Irish Data Protection Authority. When the investigation started, TikTok had no European headquarters and could be investigated by any national authority.

“But in the course of our investigation,” explained the AP’s Deputy Chair Monique Verdier, “TikTok established operations in Ireland. From that point on, the AP was only authorized to assess TikTok's privacy statement because the violation itself had already ended. It is now up to Ireland's Data Protection Commission to finish our investigation and issue a final ruling on the other possible violations of privacy investigated by the DPA.”

The other possible violations are not detailed in the official Dutch decision document (PDF). However, it states, “By letter and e-mail dated 2 October 2020, the AP informed TikTok Information Technologies UK Limited (hereinafter: TikTok UK) of its intention to enforce its decision against TikTok Inc. and sent it the underlying investigative report and documents. TikTok UK and TikTok Inc. were given the opportunity to express their views on the investigative report and the underlying documents.”

TikTok has now included a Dutch language privacy statement, and has appealed the fine.

Clues to the other potential violations may be found in a separate claim against TikTok lodged in June 2021 by the Dutch consumer group Consumentenbond and the Take Back Your Privacy organization. This is for €1.5 billion (approximately $1.8 billion) alleging unlawful harvesting of personal data.

Where children are concerned, the AP’s decision to fine TikTok would seem to imply a de facto case. The AP is satisfied that TikTok collected and processed personally identifiable information, and that it did so without legally acceptable information being given to the data subjects (the young children). This is a seemingly clear violation of GDPR.

It is part of a wider set of legal issues facing TikTok. In February 2021, the Chinese parent company ByteDance agreed to pay $92 million in settlement to U.S. users –  part of a class lawsuit that alleges illegal data collection – for violation of Illinois privacy law. In late May 2021, the European Commission gave TikTok one month to answer complaints from the European Consumer Organization that had claimed several terms in TikTok’s ‘Terms of Service’ are unfair. The consumer group said the platform failed to protect children and teenagers from hidden advertising and potentially harmful content.

Related: TikTok Sued in US Over Alleged China Data Transfer

Related: China-Made TikTok App Riddled with Security Holes: Researchers

Related: TikTok and WeChat: Chinese Apps Dogged by Security Fears

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.