DECISION SUMMARY
What happened
On 1 September 2023, the Irish Data Protection Commission announced a final decision imposing an administrative fine of €345 million on TikTok Technology Limited. The decision concluded a cross-border inquiry, opened in September 2021, into the lawfulness of TikTok's processing of personal data relating to child users on the platform. The inquiry covered the period from 31 July 2020 (the date TikTok Technology Limited took on the role of controller for European users) to 31 December 2020. The relatively short five-month inquiry period is significant: the €345 million figure relates to infringements occurring over half a year, not over the multi-year horizons typical for advertising fines.
The substantive complaints concerned a constellation of design choices in TikTok's platform that affected children. Account-creation defaults set the visibility of new teen accounts to public, meaning anyone (including unknown adults) could view a teen's posted content and send direct messages by default unless the teen actively changed the setting. The Family Pairing feature, intended to allow a parent or guardian to link to a child's account and configure restrictions, did not verify the relationship between the linking adult and the child. The on-screen information explaining visibility settings was inadequate for child users, did not explain processing fully and did not surface the privacy consequences of the default choice. The consent flow during account creation contained dark-pattern characteristics that nudged users away from private-by-default settings.
As lead supervisory authority under Article 56, the Irish DPC ran the inquiry and circulated a draft decision to the other concerned authorities in 2022. Two concerned authorities (the Berlin DPA and the Italian Garante) raised relevant and reasoned objections. The Berlin DPA proposed an additional finding that TikTok's use of dark patterns infringed Articles 5(1)(a) and 25(1). The Italian Garante proposed that an Article 6 lawful-basis finding be added. The DPC declined to follow these objections in its draft, and the matter was referred to the European Data Protection Board under Article 65. The EDPB issued Binding Decision 2/2023 on 2 August 2023, instructing the DPC to add the Article 6 finding. The DPC incorporated this in its final decision of 1 September 2023.
What the DPC found
The decision sets out seven distinct infringements. First, the public-by-default setting infringed Article 5(1)(c) (data minimisation) and 25(2) (data protection by default), because more personal data was made visible to a wider audience than was necessary for the purpose of operating the platform service. Second, the inadequate information about visibility settings infringed Article 5(1)(a) (fairness and transparency) and 13(1)(e) (information about recipients of personal data). Third, the Family Pairing feature's lack of relationship verification infringed Article 5(1)(f) (integrity and confidentiality), because it could enable an adult who was not the child's parent or guardian to gain restrictions-level access to the child's account. Fourth, the dark-pattern consent flow infringed Article 5(1)(a) (fairness) because it was designed to obscure or discourage privacy-protective choices.
Fifth and sixth, related findings infringed Article 24(1) (controller responsibility to implement appropriate measures) and Article 25(1) (data protection by design): TikTok failed to design its platform-onboarding flows to embed data-protection principles at the architectural level. Seventh, the EDPB-instructed Article 6 finding addressed the absence of a documented lawful-basis assessment for the visibility-default processing.
The legal architecture of the decision is significant because it leans heavily on Article 25 by-design and by-default obligations. The DPC's finding is that a controller cannot wait for complaints to surface design problems: it must proactively configure defaults and onboarding flows so that the most privacy- protective configuration is the default state, and so that any move away from that default requires an informed, intentional choice by the data subject. Embedding privacy-by-default at the architectural level is itself a Chapter IV duty of the controller, not a Chapter III right of the data subject.
Why the fine was this size
The €345 million fine is in the upper-middle band for major DPC decisions. The Article 83(5) ceiling for TikTok Technology Limited (whose parent ByteDance has reported global revenues in the US$80-110 billion range over the relevant period) is well in the multi-billion-euro range. The fine sits at roughly 0.3-0.4% of group revenue.
The Article 83(2) factors weighed most heavily as aggravating include: the categories of data subjects (children, who are recognised in Recital 38 GDPR as deserving specific protection); the gravity of the infringements (multiple related infringements compounding the harm); the intentional or negligent character (the design choices were intentional even if the legal characterisation was not appreciated at the time); the categories of personal data (including biometric and behavioural data about minors); and the fact that profits or financial advantage arguably flowed from default-public-visibility (because it drove engagement metrics). Mitigating factors plausibly include TikTok's subsequent product changes in 2021 (private-by-default for under-16s) and its cooperation with the inquiry.
Corrective orders and remediation
The DPC ordered TikTok to bring its processing operations into compliance with Articles 5, 24 and 25 within three months of the decision date. In practical terms this required TikTok to re-verify the design choices in its child-account onboarding flow, document the by-default architectural decisions, and surface adequate information to child users about the privacy consequences of each configuration choice. TikTok had already begun much of this remediation work in 2021-2022 in parallel with the inquiry, including making accounts of users aged 13-15 private by default, restricting direct messaging for under-16s, and rebuilding the Family Pairing relationship-verification flow.
Why the case matters
For platforms serving minors, the TikTok 2023 decision is the leading interpretation of Article 25 by-design and by-default obligations. The structural message is that defaults matter: a platform whose onboarding flow puts the most privacy-protective choice as the active default, with clear and age-appropriate information about the alternatives, satisfies Article 25. A platform whose onboarding flow defaults to public, requires effortful user action to move to private, and does not adequately explain the consequences, does not. The Family Pairing finding adds a verification dimension: parental-control features cannot rely on self-declaration alone where the consequence is access to a child's account.
For practitioners, the decision provides concrete examples of what crosses the line on dark patterns in consent flows. The DPC was not asked to enforce a standalone dark-patterns rule; it interpreted the existing Article 5(1)(a) fairness obligation as encompassing a prohibition on consent UX designed to manipulate choice. This reading parallels the EDPB's Guidelines 03/2022 on dark patterns in social media platform interfaces, finalised in February 2023, and confirms that the existing GDPR provisions can be the source of substantive UX-design requirements without new legislation.