The Data Protection Commission (DPC), Ireland's data protection regulator, has fined TikTok Technology Limited (TikTok) €345 million for breaching the EU GDPR's principle of fairness and requirements for data protection by design and default when processing data relating to users aged between 13 and 17, and children under 13.
Both the EU GDPR and the UK GDPR (collectively the GDPR) contain several prescriptive requirements organisations are obliged to comply with to protect children's personal data, including ensuring that children are addressed in plain, clear language that they can understand.
The GDPR requires this specific protection for children as they are likely to be less aware of the risks, consequences and their rights in relation to personal data.
As part of ensuring personal data is sufficiently protected, the GDPR requires appropriate technical and organisational measures to be adopted by organisations in every aspect of their processing activities.
The purpose of these organisational measures should be to implement the GDPR's principles effectively and safeguard individual data protection rights.
This requirement is known as "data protection by design and default".