EDPB settles dispute on TikTok processing of children’s data

Aug 3, 2023

Source: European Data Protection Board

The EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the Irish Data Protection Authority (DPA) regarding TikTok Technology Limited (TTL). The binding decision addresses legal questions arising from objections to the draft decision of the Irish DPA as lead supervisory authority (LSA) regarding TTL. The EDPB binding decision ensures the correct and consistent application of the GDPR by the national DPAs.

The Irish DPA issued the draft decision following an own-volition inquiry into the processing by TTL of personal data of registered TikTok users between the ages of 13 and 17, as well as certain issues regarding TTL’s processing of personal data of children under the age of 13. As no consensus was reached on the objections lodged by DPAs, the EDPB was called upon to settle the dispute between the DPAs within two months.

The objections concerned, among other things, whether there had been an infringement of data protection by design and default with regard to age verification, and whether there had been an infringement of the principle of fairness with regard to certain design practices.  

The LSA shall adopt its final decision, addressed to the controller, on the basis of the EDPB binding decision taking into account the EDPB’s legal assessment, at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website after the LSA has notified its national decision to the controller and, if applicable, any necessary redactions have been made to the EDPB’s Binding Decision.

 

Note to editors:

For further information on the Art. 65 procedure, please consult the FAQ

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more