TikTok is a popular platform on which users can create, edit and share videos. The app is mainly used by young people, many of whom are under the age of 16. Users communicate with each other through chats, giving likes or by posting comments under videos. An algorithm determines which videos the user automatically gets to see on their personal page. TikTok generates revenue through advertisements. Back in May 2020, the Personal Data Authority ("AP") reported that an investigation into the popular app's processing activities was underway. The first results were supposed to be published by the end of 2020. However, that took longer. Then recently the long-awaited fine decision on TikTok was published after all. The outcome: a fine of EUR 750,000 for violating the information obligation enshrined in Article 12(1) AVG.
This article elaborates on the principle of transparency - the most important part of the report - based on the penalty decision. It also discusses the circumstances surrounding the AP's investigation, namely its jurisdiction and other ongoing investigations.
What is striking about the AP's fine decision is that it "only" addresses the violation of the information and transparency obligation. This while in an earlier post the AP also talked about the lack of valid consent. After all, TikTok asks for consent in various situations, while in the Netherlands consent can only be validly given from the age of 16 and users are regularly younger than 16. There are also concerns about, among other things, the possible sharing of personal data with, for example, China without appropriate measures and the use of biometric data (which can also be used to estimate the age of users) without a valid basis. In addition, TikTok allegedly uses profiling in several markets (but not in the Netherlands).
The AP is not the only European authority to have launched an investigation into TikTok's practices. Earlier this year, the Italian authority imposed processing restrictions on the video app after a 10-year-old user allegedly died from imitating a posted video. French and Danish privacy watchdogs have also delved into the popular app's processing activities due to several complaints. The Danish authority has since handed over the investigation to Ireland's Data Protection Commssion ("DPC").
The first page of the decision states that the AP is going to ask the Irish DPC "to complete the investigation." On what grounds the rest of the AP's investigation would see is not clear. However, there is a chance that the AP's fine will therefore not be the last for TikTok.
Until July 2020, only an English-language privacy policy was available in the app. This while TikTok is used by a large number of young people aged 6(!) to 18 and is particularly popular with children aged 12. According to the AP, making only English-language information available does not match the target group, which means that Article 12 of the AVG has been violated. Pursuant to that article, information must be comprehensible, clear and in simple language. In addition, it follows from Recital 58 AVG that children deserve specific protection; a child must be able to understand information easily. An English text about the processing of personal data does not meet this requirement, according to the AP.
As an important principle of EU law, the principle of transparency is included as one of the basic principles of personal data processing: a processing operation must be lawful, proper and transparent it follows from Article 5(1)(a) AVG. Based on this principle, data subjects must be informed about the processing operations involving their data (Rev. 60 AVG). This obligation thus forms the link between the transparency principle and the information obligation.
The principle of transparency has previously been elaborated by the European Data Protection Board in the Transparency Guidelines. These Guidelines elaborate on the method of information and the factors relevant in determining whether the method of information is appropriate. The following guidance is relevant:
Understandable: the information must be able to be understood by an average member of the intended audience;
Clear and simple language: the information provided should not contain language that is too legal, technical or specialized. When the data controller addresses data subjects who speak a different language, a translation (under certain circumstances) into those languages must be provided;
Children or other vulnerable groups: the vocabulary, tone and style of language used should be appropriate for children.
TikTok believes that the majority of children should be able to understand the English-language documents, given, among other things, the general level of English proficiency in the Netherlands. However, the AP argues that TikTok should have done better research on the target audience and the level of comprehensibility; according to the AP, it cannot reasonably be argued that the information was also easily understood by children under 16.
The fact that TikTok has taken additional measures, such as placing pop-ups about the disclosure of videos shared in the app, setting up a Help and Safety Center and providing a Dutch summary of the privacy statement, does not alter the foregoing. Despite the AP's recognition that these measures can contribute to the level of transparency, information about the processing of personal data under Article 13 AVG must be provided to data subjects in advance. Such measures are only relevant at the moment the user has already created an account and thus the processing of personal data has already started.
In July 2020, TikTok made a Dutch-language privacy statement available to its Dutch users. As of that moment, the AP said there was no longer a violation of Article 12 AVG, as this document was consistent with Dutch-speaking children in terms of language and form.
The penalty decision goes on to address the question of whether the AP had authority to take enforcement action. This is because TikTok - previously based only in the US - now had a headquarters Ireland, which would mean that only the Irish DPC would be allowed to conduct an investigation within the EU. This is because under Article 56 AVG, the supervisory authority of the headquarters, also known as the lead authority, is competent to act in the case of cross-border processing operations. This is called the one-stop-shop principle.
The AP is of the opinion that it was allowed to enforce up to the moment of establishment of the European establishment in Ireland: July 29, 2020. After all, if there is no European establishment, in principle any authority in any member state may enforce. Because the violation to which the fine relates - namely, the violation of Article 12 AVG - had already ended before TikTok established itself in the EU, the establishment of the branch in Ireland does not affect this investigation by the AP.
Would you like to learn more about this topic? On December 7, 2021, the Data&Privacyweb the Knowledge Marketplace where you can learn about this topic.
