当地时间2023年9月15日，爱尔兰数据保护委员会 (DPC) 宣布，对 TikTok 的调查已达成最终决定，宣布对其处以 3.45 亿欧元的罚款，以解决涉嫌违反欧盟《通用数据保护条例》（GDPR）的问题，同时还命令TikTok在三个月内改正其违规数据处理行为。

• 某些TikTok平台的设置，包括默认公开设置以及与“Family Pairing”功能相关的设置；
• 注册过程中的年龄验证。

The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.

This own-volition inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020 (the Relevant Period), TTL complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:

• Certain TikTok platform settings, including public-by-default     settings as well as the settings associated with the ‘Family Pairing’ feature; and

  
  

• Age verification as part of the registration process.

  
  

As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings.

At the conclusion of its investigation, the DPC submitted a draft decision to all Supervisory Authorities Concerned (CSAs), for the purpose of Article 60(3) GDPR, on 13 September 2022. The DPC’s draft decision proposed findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) GDPR, in relation to the above processing. While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised by the Supervisory Authorities (each an SA, collectively SAs) of Italy and Berlin (acting on behalf of itself and the Baden-Württemberg SA).

The objection raised by the Berlin SA sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards ‘dark patterns’ while the objection raised by the Italian SA sought to reverse the DPC’s proposed finding of compliance with Article 25 GDPR, as regards TTL’s approach to age verification during the Relevant Period. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and, in the circumstances, decided to refer the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism.

The European Data Protection Board adopted its binding decision on the subject matter of the objections on 2 August 2023 with a direction that the DPC must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness, further to the objection raised by the Berlin SA, and to extend the scope of the existing order to bring processing into compliance, to include reference to the remedial work required to address this new finding of infringement.

The DPC’s decision, which was adopted on 1 September 2023, records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR. The decision further exercises the following corrective powers:

1. A reprimand;

   
   

2. An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and

   
   

3. Administrative fines totalling €345 million.

   
   

更多具体信息，请参考EDPB网站：

Decision in the matter of TikTok Technology Limited made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation