TikTok has been penalized €345 million (£296 million) for violating EU data protection laws in its handling of children's accounts, including failing to keep underage users' information private.

The Irish data protection body, which supervises TikTok across the EU, claimed that the Chinese-owned video app had violated various GDPR requirements.

It found that TikTok violated GDPR by defaulting child users' accounts to public; failing to provide transparent information to child users; allowing an adult to access a child's account on the "family pairing" setting to enable direct messaging for children over 16; and failing to adequately consider the risks posed to children under 13 on the platform who were placed on a public setting.

Read more: EU TikTok users safer than UK counterparts from personalized algorithm

According to the Irish Data Protection Commission (DPC), users aged 13 to 17 were guided through the sign-up procedure in such a way that their accounts were set to public by default, which means anybody may access or comment on an account's content. It also discovered that the "family pairing" method, which allows an adult to modify a kid's account settings, did not check to see if the adult "paired" with the child user was a parent or guardian.

Related News

EU moves to build new intelligence unit under von der Leyen leadership

West fears China’s hydrogen rise could mirror solar, battery dominance

The Commission last week fined Instagram owner Meta Platforms Inc. 405 million euros ($402 million) in a long-running investigation into allegedly mishandling data about minors who operated business accounts, which exposes more of their personal data than if they operated a personal account.

Meta responded by arguing that the decision is related to old settings that they had updated more than a year ago and that they intend to appeal the fine and its amount. 

The DPC decided that TikTok, which has a minimum user age of 13, failed to adequately consider the risk presented to minor users who acquired access to the platform. It said the public-by-default setting permitted anybody to "view social media content posted by those users."

For under-17s, the Duet and Stitch features, which let users merge their material with that of other TikTokers, were also enabled by default. However, the DPC determined that its techniques for validating users' ages did not violate GDPR.

TikTok stated that it disagrees "with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”

The DPC also recognized that it had been overridden on several points of its judgment by the European Data Protection Board, a group comprising data and privacy authorities from EU member states. This meant that it had to contain a suggested conclusion by the German authority that the use of "dark patterns" - the term for misleading website and app designs that push users into specific behaviors or choices - violated a GDPR regulation on fair processing of personal data.