Legal Insight Tiktok’s Fine PDF


TikTok Faces Massive €345 Million Fine Over Child Data Violations in E.U. (

Irish Data Protection Commission announces €345 million fine of TikTok | 15/09/2023 | Data Protection Commission

🚨 Legal Insight: TikTok’s €345 Million Fine for Child Data Violations

The Irish Data Protection Commission (“DPC”) has imposed a substantial €345 million fine on TikTok for its breach of the European Union’s General Data Protection Regulation (“GDPR”) in connection with children’s data.

The Inquiry

Initiated in September 2021, the investigation scrutinized TikTok’s handling of personal data of users aged 13 to 17 during the period from July 31 to December 31, 2020.

DPC focused its examination on three aspects to assess TikTok’s means of processing children’s data: (i) platform settings, (ii) age verification, and (iii) transparency information.

The Findings:

The following table includes the findings and their corresponding GDPR violations:



Breached GDPR Article(s)


The default profile settings for child user accounts were configured as public, allowing both TikTok users and those outside the platform to access the content posted by the child user.

GDPR 25(1)

GDPR 25(2)

GDPR 5(1)(c)

GDPR 24(1)


The ‘Family Pairing’ feature permitted non-child users (without verified parental or guardian status) to connect their account with that of a child user. This enabled non-child users to activate Direct Messages for child users aged 16 and above, potentially exposing child users to significant risks.

GDPR 5(1)(f)

GDPR 25(1)


The default public profile settings for child users also presented various potential risks to children under the age of 13 who accessed the platform.

GDPR 24(1)


TikTok failed to provide sufficient transparency information to child users.

GDPR 12(1)

GDPR 13(1)(e)


TikTok utilized ‘dark patterns’ to guide users toward selecting privacy-intrusive options during both the registration process and when posting videos.

GDPR 5(1)(a)


Explanation of Breached GDPR Articles

Here are the stipulations of the GDPR articles in question.

  1. GDPR 5(1)(a): Emphasizes lawful, fair, and transparent processing of personal data in relation to the data subject.
  2. GDPR 5(1)(c): Underscores that personal data should be adequate, relevant, and limited to what is necessary for processing purposes.
  • GDPR 5(1)(f): Highlights the need to process personal data securely, protecting against unauthorized or unlawful processing.
  1. GDPR 12(1): Mandates data controllers to provide transparent and easily accessible information to data subjects about their data processing.
  2. GDPR 13(1)(e): Requires informing data subjects about the recipients or categories of recipients to whom their personal data may be disclosed.
  3. GDPR 24(1): Places responsibility on data controllers to implement appropriate data protection measures, including documentation of processing activities and ensuring authorized personnel handle personal data.
  • GDPR 25(1) & 25(2): Focus on data protection by design and by default, which emphasizes integrating data protection measures into the development of products and services, and requiring data controllers to implement appropriate technical and organizational safeguards.

The Outcome

In addition to the substantial financial penalty and a reprimand, the DPC mandated TikTok to align its data processing practices with GDPR standards within a three-month window. Anu Talus, EDPB Chair, emphasized the duty of social media companies to present choices to users, especially children, in a fair and non-manipulative manner.

TikTok, while expressing its disagreement with the ruling, highlighted that the criticisms pertained to features and settings in place three years ago, with subsequent changes, including setting all under-16 accounts to private by default. The company is set to launch a redesigned registration process for 16 and 17-year-old users, making private accounts the default setting.

This significant legal development follows prior fines in France and the US for collecting data from users under 13 without parental consent, and in the UK for complicating the opt-out process in their cookie policy.