Landmark Ruling: EDPB Sets Precedent with Binding Decision on TikTok’s Data Practices

In a pivotal move for data protection, the European Data Protection Board (EDPB) unveiled its Binding Decision 2/2023 on September 15, 2023. This decision, adopted

data protection

In a pivotal move for data protection, the European Data Protection Board (EDPB) unveiled its Binding Decision 2/2023 on September 15, 2023. This decision, adopted on August 2, 2023, under the authority of Article 65(1)(a) of the General Data Protection Regulation (GDPR), addresses a contentious dispute surrounding TikTok Technology Limited.


The dispute arose from the draft decision of the Data Protection Commission (DPC) and the subsequent objections raised by various data protection authorities. The crux of the matter lies in the processing of personal data belonging to TikTok’s registered users aged between 13 and 17, along with specific concerns regarding design practices and issues concerning children below the age of 13.


Anu Talus, EDPB Chair, emphasized the responsibility of social media companies to present choices, especially to minors, in a fair and unbiased manner. She underscored the importance of providing privacy-related options objectively and neutrally, without resorting to deceptive or manipulative tactics. This decision reinforces the imperative for digital entities to exercise utmost care and implement robust measures to safeguard children’s data protection rights.


Findings of Non-Compliance:


  • Infringement of Fairness Principle:

TikTok was found to have breached the GDPR’s principle of fairness in its processing of personal data pertaining to adolescents between 13 and 17 years old. Specifically, the Registration Pop-Up and Video Posting Pop-Up were analyzed, revealing biased design practices that influenced user choices.


  • Challenges with Age Verification Measures:

Serious doubts were raised regarding the effectiveness of TikTok’s age verification measures during the specified period. The EDPB identified loopholes in the age gate intended to restrict access for users under 13, as well as deficiencies in post-access controls.


  • Deficiencies in Privacy by Design:

The public-by-default settings adopted by TikTok were deemed contrary to the principles of data protection by design and default, data minimization, and transparency. This underscores the critical need for platforms to prioritize privacy in their design and default settings.


  • Monetary Penalty:

In addition to a reprimand and compliance order, the IE DPA imposed a substantial fine of €345 million on TikTok as a consequence of the identified infringements.


The EDPB’s resolute decision, coupled with the IE DPA’s final verdict, marks a significant milestone in data protection, setting a powerful precedent for digital platforms. The imperative for fairness, transparency, and robust age verification measures underscores the evolving landscape of data privacy. As we move forward, the integration of privacy by design will play an increasingly pivotal role in shaping ethical data practices and ensuring the protection of user rights in an ever-connected world.