Ireland's Data Protection Commission continues to demonstrate the repercussions companies will face if they fail to meet the core principles of the EU General Data Protection Regulation. The latest example comes with the DPC's adoption of a 345 million euro fine and corrective measures against TikTok over alleged GDPR violations concerning children's data protection.

The enforcement action concerns claims against TikTok's platform settings for kids that it had in place over a five-month span 31 July 2020 to 31 December 2020. The DPC investigation yielded violations of Articles 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) while an additional violation of Article 5(1)(a) was added following the European Data Protection Board's August binding decision on the matter.

In a statement on the decision, the EDPB detailed the claims it analyzed in its Article 65 dispute resolution decision. The board focused on "design practices implemented by TikTok in the context of two pop-up notifications that were shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up." Both practices allegedly "failed to present options to the user in an objective and neutral way," according to the board.

EDPB Chair Anu Talus said TikTok and social media platforms "have a responsibility to avoid presenting choices to users, especially children, in an unfair manner." She also indicated the work of the DPC and the board "once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights."

TikTok, notified of the DPC's final decision 11 Sept., has three months to correct the alleged contraventions of GDPR principles concerning personal data processing, data protection by design and by default, and transparency.

TikTok Head of Privacy, Europe, Elaine Fox said in a response to the DPC's decision, "We respectfully disagree with several aspects of the decision, particularly the level of the fine." She added the claims "are no longer relevant as a result of measures we introduced at the start of 2021 - several months before the investigation began."

The DPC indicated its own-volition inquiry also explored alleged GDPR noncompliance associated with TikTok's age verification practices. According to Fox, the age assurance claims were actually found to be compliant and were not included in the final decision.

Ireland's Data Protection Commissioner Helen Dixon forecasted the finalization of the TikTok decision in a May appearance before European Parliament where she also claimed this year "is going to be an even bigger year for GDPR enforcement on foot of DPC large scale investigations."

Building a track record

It is the latest in a string of sizeable fines adopted by the DPC in the last 12 months. The record 1.2 billion euro fine served to Meta in May stands as the DPC's most stringent work. Besides the steep financial penalty though, the DPC's increased activity is also producing enforcement patterns.

TikTok's penalty closely aligns with the 405 million euro fine issued to Meta's Instagram in September 2022 over alleged issues with user settings for children 13-17. Both instances scrutinized the companies' respective use of a "public-by-default setting" with children's accounts.

"For many organizations, the fines — though significant by number — are not nearly as consequential as the corrective orders being issued by regulators," IAPP Research and Insights Director Joe Jones said. "Regulators are increasingly ordering that certain data practices — many of which are likely to have previously been core to business models and often hard or impossible to unravel — be changed and brought into compliance."

The objections

As with prior DPC decisions, concerned supervisory authorities forced an Article 65 decision from the EDPB following objections to the DPC's draft decision. The DPC offered a window into two complaints, including one that brought the inclusion of alleged Article 5(1)(a) infringements into the DPC's final decision.

The addition of the Article 5(1)(a) violation was proposed by the Berlin Commissioner for Data Protection and Freedom of Information, which the DPC said "sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards 'dark patterns.'" Italy's data protection authority, the Garante, unsuccessfully challenged the reversal of the "proposed finding of compliance with Article 25 GDPR, as regards (TikTok's) approach to age verification during the Relevant Period (31 July 2020 to 31 Dec. 2020)."

During her time with Parliament in May, Commissioner Dixon explained the continuous debate among data protection authorities over proper enforcement is "largely confined to marginal issues around the fringes." She also discussed "inaccurate" claims about the DPC's strength in cross-border cases, saying her office is never "forced to take tougher enforcement action by its fellow supervisory authorities."

The EDPB stated there was consensus in the Article 65 process as the "legal assessment that was not subject to objections by (concerned supervisory authorities)."

The DPC indicated it submitted its draft decision to fellow supervisory authorities 13 Sept. 2022, meaning objections to the draft decision and subsequent dispute resolution contributed to an additional year's wait for a final decision.

The general lag in finalizing enforcement actions has drawn the ire of consumer groups ever since the GDPR took effect in 2018. At the IAPP Data Protection Congress in 2019, Dixon said the negative commentary is not justified without full knowledge of the enforcement process.

"I think if you understand even a little bit about what's involved in investigating in a case where the sanctions can be considerable, very high fines potentially, bans on processing potentially, that can affect businesses and the viability of a business, you're going to have to follow a due process and take it step by step," Dixon said.

Editor's note: This is a developing story and the IAPP will update this article.