EDPB resolves dispute on TikTok’s children’s data processing

The European Data Protection Board (EDPB) resolved the dispute regarding TikTok’s after Ireland’s DPA draft decision submission on children’s personal data.

 Electronics, Phone, Mobile Phone, Text, Logo

The European Data Protection Board (EDPB) resolved a dispute regarding the draft decision submitted by the Irish Data Protection Authority (DPA) concerning a large-scale 2021 inquiry into TikTok’s processing of children’s personal data. Namely, the inquiry focuses on TikTok’s processing of the personal data of registered TikTok users aged 13 to 17 and data of minors under the age of 18. Due to the absence of consensus and questions that arose from objections the EDPB was called to settle the case within two months. The objections and questions centered, among others, on the following:

  • Whether TikTok violated GDPR by inadequately preventing children under 13 from accessing the platform due to possible shortcomings in its age-verification measures, and
  • TikTok’s compliance with the principle of fairness regarding design practices.

Within one month of receiving information from the EDPB, the Irish DPA, the lead supervisory authority (LSA), will give its final decision to the controller one month after EDPB’s final, binding decision. EDPB stated that it will publish its decision on its website, incorporating required redactions. TikTok’s spokesperson said that they had not received the final decision yet, and did not comment on the case.

Why does it matter? TikTok’s policies regarding children’s data processing have been questioned over the past years by EU and other European DPAs. Namely, the Dutch DPA issued against the company in 2021, a €750,000 fine after finding that it had violated Dutch children’s privacy by not having a privacy policy in their native language. Additionally, the UK’s privacy watchdog Information Commissioner’s Office (ICO) imposed a £12.7 million fine against TikTok, in April 2023, after finding that it breached UK’s GDPR principles. And while the UK is no longer member of the EU, GDPR is still retained under its domestic law. Thus, ICO found that:

  • TikTok failed to be transparent to users as there was no easy-to-understand information on how their data is collected, used, and shared, and that
  • It ‘provided services to UK children under the age of 13 and processed their personal data without consent or authorization from their parents or carers.’