Social media and data protection issues seem to go hand in hand.
Data protection issues surrounding the use of social media have always been a cause for concern for individuals, especially when it comes to children’s data privacy.
On 15 September 2023, the video-focused social media platform app, TikTok, was fined €345 million by Ireland’s Data Protection Commission (DPC) over the data privacy of children.
Background
Over a five-month period in 2020, TikTok breached the General Data Protection Regulation (GDPR) principle of fairness and data protection by design and default in processing the data of users aged under 18.
TikTok stated they had provided information to those in a few ways including its privacy policy and ‘Summary for Users U18’. Although this advised that a public account was accessible to any other user, it neglected to state that the content would be viewable via their website to anyone – whether they were registered users or not.
Data protection by design and default requires appropriate technical and organisational measures to be put in place such as encrypting data and regularly updating security protocols. When individuals aged 13-17 created accounts on the app, their accounts were made ‘public’ by default and their content was available for anyone to view.
Judgment
Ireland’s Data Protection Commission concluded that TikTok had infringed the data privacy of its users aged 13-17. A fine of €345m was imposed.
“…the infringements are all serious in nature and gravity. The infringements concern personal data belonging to children and the infringements increased the risks posed by the processing to the rights and freedoms of those children.”
Further, TikTok was reprimanded and ordered to ensure its processing was compliant within three months.
“the reprimand will contribute towards dissuading future non-compliance by formally recognising the serious nature of the infringements.”
Comment
TikTok has form. In April 2023, the Information Commissioner’s Office (ICO) issued a £12.7m fine for its use of the personal data of children contrary to the Data Protection Act 2018.
Fines and reprimands on this scale are a reminder, should one be needed, to be proactive in protecting your customer’s personal data and being compliant with your statutory obligations.
For more information about this article or any other aspect of data privacy and commercial law, contact your Napthens Solicitors in Preston, Blackburn, Liverpool, and across the North West today.
