Zoom Image

Children's hand on TikTok logo: The app is extremely popular, especially among minors

Photo: Marijan Murat / dpa

Because TikTok has been sloppy in the past when it comes to data protection for minors, the social network is now to pay a fine of 345 million euros. This was announced by the competent Irish data protection authority on Friday. Among the issues of contention was whether the accounts of young people are open to everyone by default and how they are informed about dangers. The company was disappointed: most of the controversial problems had already been eliminated in recent years.

The proceedings had dragged on for years. The other European data protection supervisors had repeatedly accused the Irish chief supervisor Helen Dixon of delaying tactics. Since then, the Data Protection Commission has worked through some of the particularly high-profile proceedings. In May of this year, for example, it had obliged the Facebook group Meta to pay a fine of 1.2 billion euros, and in September before, the Meta subsidiary Instagram was fined 405 million euros for its handling of the data of minors.

Improvements came too late

In total, TikTok was accused of five violations of the European General Data Protection Regulation (GDPR) in the current proceedings.

  • In the case of underage users, the postings were made available to the public by default.

  • The "escorted mode," which allows parents to supervise their children's TikTok use, did not ensure that the adults were actually the guardians.

  • The weak protections allowed children under the age of 13 to register without restrictions.

  • Underage users had not been adequately informed about the functioning and dangers of the social network.

  • Through the app design and targeted choice of words, minors are said to have been urged to reduce their privacy protection.

The company now has three months to improve the app in all respects. However, the Irish data protection authority referred to an investigation period in the second half of 2020 in the proceedings.

For this reason, the company was disappointed. "We disagree with key aspects of this decision, including the disproportionate fine," a TikTok spokeswoman said in response to a request from SPIEGEL. In doing so, the company refers to numerous improvements that the operators have made in recent years. The majority of the allegations are therefore "no longer relevant": For example, the accounts of users under the age of 16 are now set to "private" by default. Also, accounts that were probably registered by children under the age of 13 would be systematically blocked by moderators.

TikTok must comply with new requirements

However, the many improvements did not only come on their own initiative. For example, the Italian data protection authority, which is also responsible for the protection of minors, had exerted pressure on the company after the death of a ten-year-old girl in an Internet test of courage. TikTok also has to comply with numerous new requirements of the European Digital Services Act (DSA) and the Digital Market Act (DMA).

As in previous high-profile cases, there was a dispute among the data protection authorities. This time, the Irish regulators, who are responsible for many international internet companies, had to extend their original decision against TikTok. For example, the state data protection authorities from Berlin and Baden-Württemberg had objected to so-called "dark patterns" in the app, which are used to get users to deactivate protection requirements.