EU acts against TikTok for failure on Romania election interference
Also fines Meta €251m for Facebook security breach
European Commission opens formal proceedings against social TikTok over its suspected failure to limit election interference and fines Meta for a Facebook security breach which it disclosed in 2018.
The action against TikTok relates to the Romanian presidential election which took place in November. The election was mired by alleged Russian peddling of misinformation and anti-European and anti-NATO propaganda. Romanian authorities have accused TikTok of “irregularities” on its platform and the results of the first round of voting were annulled before the second final round could take place.
On December 5th TikTok was ordered to freeze data linked to the Romanian elections under the terms of the Digital Services Act (DSA).
The Commission said it intends to examine TikTok's policy on political advertisements and paid-for political content in addition to the risks of algorithmic manipulation.
European Commission President Ursula von der Leyen said yesterday:
“Following serious indications that foreign actors interfered in the Romanian presidential elections by using TikTok, we are now thoroughly investigating whether TikTok has violated the Digital Services Act [DSA] by failing to tackle such risks.”
Parent company Bytedance said it had protected the integrity of its platform through more than 150 elections this year and had provided the European Commission with extensive information on its efforts.
It said it did not accept paid political advertisements and proactively removed content violating its policies on misinformation and hate speech.
The Commission is concerned about the risks of interference in the upcoming presidential election in Croatia which takes place on December 29 and the German parliamentary election which will be held on February 2025 following the collapse of the German government coalition.
The role of TikTok and other social media platforms including X in spreading political misinformation is source of concern in many countries, including the UK.
Meta fined
The EU has also fined Meta €251 million for a Facebook security breach that affected millions of users, which took place in 2017, and Meta disclosed back in September 2018.
The fine was issued by Ireland’s Data Protection Commission (DPC) under the General Data Protection Regulation (GDPR). Meta has incurred heavier GDPR fines but this is still substantial.
The breach occurred when Facebook rolled out a video upload function that included a “View as” feature, which let the user see their own Facebook page as it would be seen by another user.
A bug in the design allowed malicious actors to invoke the uploader in conjunction with Facebook’s “Happy Birthday Composer” feature to generate a user token that gave them full access to the Facebook profile of that user.
Between September 14 and September 28, 2018, the Ireland DPC said unauthorized people used scripts to exploit this vulnerability to log into approximately 29 million Facebook accounts globally, around 3 million of which were based in the EU/European Economic Area.
Personal data compromised included Facebook users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups in which they were a member, and children’s personal data.
The fine comes in two parts. The first relates to the time it took for Meta to report the breach. The DPC fined Meta €11 million on the basis that its notification of the breach did not include all the information it “could and should have.”
The much larger part of the fine - €240 million – is a consequence of Meta violating GDPR principles of data protection by design. The DPC established that the company did not have appropriate measures in place to protect people’s data from unintended processing.
In a statement, DPC deputy commissioner Graham Doyle said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”