The Dutch Data Protection Authority has imposed a fine of €750,000 on TikTok for violating the privacy of young children. It was found that the information provided by TikTok to Dutch users (many of whom were children) when installing and using the app was in English and thus not capable of being understood by the intended audience. Consequently, by failing to offer their privacy statement in Dutch, TikTok did not provide an adequate explanation of how the app collects, processes and uses personal data.
The legal foundation behind the claim
Since at least 2018, TikTok had been violating the EU General Data Protection Regulation (“GDPR”) by way of processing children’s personal data without:
(a) having adequate measures in place to prevent children from downloading and/or using the app, contrary to TikTok’s own statement that the service is not directed at children under the age of 13;
(b) having in place adequate messaging to explain what data was being collected and how this data would be further processed to facilitate informed decision-making by users;
(c) providing the user with adequate transparency about the nature and extent of the processing of their data;
(d) acquiring the relevant and necessary consent of the children’s parents or guardians, or any effective consent; and/or;
(e) any effective contractual basis or legitimate interest in collecting and using the data.
Children are treated as a vulnerable category of individual under data protection law. They are normally less aware of the consequences of their actions, including the implications of sharing personal data on social media. This is why children are given additional protection under data protection legislation.
Other claims against TikTok
There has been a series of claims against ByteDance, the owner of TikTok over the last couple of years. On at least two previous occasions the company was held to be liable for violating children’s data. The first claim against TikTok was brought in the US. The company was then fined US$5.7m and ordered to delete data and amend the way the app operated. This was followed by another case brought in South Korea in 2020, in which similar penalties were imposed.
More recently, a claim was launched in April this year by Anne Longfield OBE, the former Children’s Commissioner for England, on behalf of millions of children using TikTok in the United Kingdom and European Economic Area. It is argued in the claim that TikTok has been illegally collecting children’s personal data, including videos, pictures, location, telephone numbers and biometric (or facial recognition) data without sufficient warning, transparency or the necessary consent required by law, and without children or their parents knowing what is being done with their private information.
Why is it important?
It’s easy for businesses to infringe data protection law without being aware of doing so, as this area of law is rapidly developing following the introduction of the GDPR. All UK and European organisations (and many beyond) are subject to GDPR if they process any personal data whatsoever, and there are significant sanctions for breaches. In particular, the maximum fine is £17.5 million or 4% of annual global turnover, whichever is greater.
Privacy notices can cause significant exposure, as we’ve seen with TikTok in the Netherlands. Many organisations still seem to be operating on the basis of pre-GDPR privacy notices, which do not provide all the information that is required in order to be compliant. This gives rise to a very visible risk of incurring fines, costs associated with legal proceedings and reputational issues.
If you would like to review your privacy notice or discuss any other aspect of data protection regulation, then please contact Madina Tatraeva at madina.tatraeva@ilaw.co.uk or Justin Ellis at justin.ellis@ilaw.co.uk .