AP (The Netherlands) - 09.04.2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Netherlands |DPA-BG-Color= |DPAlogo=LogoNL.png |DPA_Abbrevation=AP (The Netherlands) |DPA_With_Country=AP (The Netherlands) |Case_Number_Name=...") |
m (Ar moved page AP (The Netherlands) - TikTok to AP (The Netherlands) - 09.04.2021) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 62: | Line 62: | ||
}} | }} | ||
The Dutch DPA fined TikTok Inc. €750,000 for providing its privacy policy to Dutch users - many of whom are children under the age of 16 - solely in English, in violation of Article 12(1) GDPR. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Dutch DPA (Autoriteit Persoonsgegevens, 'AP'), launched an ''ex officio'' investigation into the processing of personal data by TikTok Inc (TikTok), which is based in California, USA. | |||
TikTok operates the TikTok app, which allows users to create, edit, and share short videos online. TikTok processes a large amount of personal data via the app, including: User ID, name/nickname, user settings, user generated content (e.g. videos, messages, contents), IP address, mobile carrier, time zone settings, App version, device model, device system, network type, device ID, screen resolution, operating system, and appID. A large group of Dutch children under the age of 16 use the TikTok app, some of whom are around 12 years old. | |||
When a user creates a TikTok account, they are informed in Dutch that they are agreeing to TikTok's Privacy Policy. However, the AP's investigation revealed that between 25 May 2018, and 28 July 2020, TikTok provided its Privacy Policy to Dutch users - including children - only in English. This was true both during the registration process, as well as when a user is logged in and wants to consult the Privacy Policy in the TikTok app. | |||
Since 29 July 2020, TikTok has provided its Privacy Policy to Dutch data subjects in Dutch. It also provides a separate document that is appropriate for Dutch speaking children in terms of language and form. | |||
=== Holding === | === Holding === | ||
In | The AP found that TikTok Inc. infringed Article 12(1) GDPR during the period from 25 May 2018 to 28 July 2020, by only providing its Privacy Policy to Dutch children in English. | ||
Article 12(1) GDPR provides that the controller shall take appropriate measures to provide any information relating to the processing of personal data to data subject's in a concise, transparent, and intelligible and easily accessible form, using clear and plain language, in particular for information addressed specifically to a child. | |||
Under the WP29's Guidelines on Transparency, TikTok is required to know its intended audience and identify what qualifies as intelligible on this basis. Accordingly, it must be aware that a substantial part of its intended audience consists of children under 16 years old. | |||
The AP highlighted that the requirement of intelligibility requires, as a minimum, that when the controller addresses data subjects who speak another language, it provides a translation into that language. This obligation applies in particular when the information is addressed to young children, so that they can easily understand this information. The AP emphasised that it is not relevant that a relatively large group of Dutch children may have a good command of English, especially as TikTok is used by many people under the age of 16. It cannot be taken for granted that data subjects in that age group will have a good command of English. | |||
'''The Fine''' | |||
The AP imposed a fine of €750,000 on TikTok for its violation of Article 12(1) GDPR. | |||
The AP outlined that, in the event of an infringement of Article 12(1) of the GDPR, pursuant to Article 58(2)(i) and Article 83(5) GDPR, read in conjunction with Article 14(3) of the Dutch General Data Protection Regulation (Implementation) Act (Uitvoeringswet Algemene verordening gegevensbescherming), it is authorised to impose an administrative fine on TikTok Inc. of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding business year, whichever is higher. | |||
The AP has adopted the Administrative Rules on Penalties 2019 (Beleidsregels bestuurlijke boetes 2019) in order to implement the power to impose an administrative fine, which includes determining the amount of the fine. In Annex 2, the infringement of Article 12(1) of the GDPR is classified into category III, for which the penalty range is €300,000 to €750,000 and the applicable base fine is €525,000. | |||
The AP increased the basic amount of the fine pursuant to Article 7 (a) of the Administrative Rules on Penalties 2019 by €225,000 to €750,000, being the maximum of the penalty range in that category. It did so in light of the gravity and duration of the breach. In particular, the breach affected a large number of data subjects (an indicative study showed that approximately 830,000 Dutch children under the age of 18 were using TikTok at the time of the breach), many of whom are children, i.e. a vulnerable group of persons, who are less aware of the risks of the processing of personal data, as well as their rights in relation to such processing. | |||
'''The transfer of findings to the Irish Data Protection Authority''' | |||
The AP announced that it is transferring several other results from its investigation to the Irish DPA (the Data Protection Authority, or DPC), who will complete the investigation into TikTok's practices and take a final decision. | |||
This is because, although TikTok was not established in the EU when the AP initiated its investigation (meaning that, under Article 55(1) GDPR, the AP was competent to decide on the case), TikTok established itself in Ireland on 29 July 2020, meaning that, from this date onwards, under Article 56(1) GDPR, the DPC is competant, and not the AP. | |||
The AP was authorised to assess TikTok's privacy statement, as this infringement occurred between 25 May 2018 to 28 July 2020, meaning that it ended prior TikTok's establishment in Ireland on 29 July 2020. | |||
The AP stated that in its role as a supervisory authority concerned and the requesting authority, will continue to be involved in the finalisation of the case and the realisation of the final decision. | |||
== Comment == | == Comment == |
Latest revision as of 17:08, 12 December 2023
AP (The Netherlands) - TikTok | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 12(1) GDPR Article 14(3) GDPR Article 58(2) GDPR Article 83(2) GDPR Article 83(5) GDPR Beleidsregels bestuurlijke boetes 2019 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 09.04.2021 |
Published: | 22.07.2021 |
Fine: | 750000 EUR |
Parties: | TikTok |
National Case Number/Name: | TikTok |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English Dutch |
Original Source: | Autoriteit Persoonsgegevens (in EN) Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | n/a |
The Dutch DPA fined TikTok Inc. €750,000 for providing its privacy policy to Dutch users - many of whom are children under the age of 16 - solely in English, in violation of Article 12(1) GDPR.
English Summary
Facts
The Dutch DPA (Autoriteit Persoonsgegevens, 'AP'), launched an ex officio investigation into the processing of personal data by TikTok Inc (TikTok), which is based in California, USA.
TikTok operates the TikTok app, which allows users to create, edit, and share short videos online. TikTok processes a large amount of personal data via the app, including: User ID, name/nickname, user settings, user generated content (e.g. videos, messages, contents), IP address, mobile carrier, time zone settings, App version, device model, device system, network type, device ID, screen resolution, operating system, and appID. A large group of Dutch children under the age of 16 use the TikTok app, some of whom are around 12 years old.
When a user creates a TikTok account, they are informed in Dutch that they are agreeing to TikTok's Privacy Policy. However, the AP's investigation revealed that between 25 May 2018, and 28 July 2020, TikTok provided its Privacy Policy to Dutch users - including children - only in English. This was true both during the registration process, as well as when a user is logged in and wants to consult the Privacy Policy in the TikTok app.
Since 29 July 2020, TikTok has provided its Privacy Policy to Dutch data subjects in Dutch. It also provides a separate document that is appropriate for Dutch speaking children in terms of language and form.
Holding
The AP found that TikTok Inc. infringed Article 12(1) GDPR during the period from 25 May 2018 to 28 July 2020, by only providing its Privacy Policy to Dutch children in English.
Article 12(1) GDPR provides that the controller shall take appropriate measures to provide any information relating to the processing of personal data to data subject's in a concise, transparent, and intelligible and easily accessible form, using clear and plain language, in particular for information addressed specifically to a child.
Under the WP29's Guidelines on Transparency, TikTok is required to know its intended audience and identify what qualifies as intelligible on this basis. Accordingly, it must be aware that a substantial part of its intended audience consists of children under 16 years old.
The AP highlighted that the requirement of intelligibility requires, as a minimum, that when the controller addresses data subjects who speak another language, it provides a translation into that language. This obligation applies in particular when the information is addressed to young children, so that they can easily understand this information. The AP emphasised that it is not relevant that a relatively large group of Dutch children may have a good command of English, especially as TikTok is used by many people under the age of 16. It cannot be taken for granted that data subjects in that age group will have a good command of English.
The Fine
The AP imposed a fine of €750,000 on TikTok for its violation of Article 12(1) GDPR.
The AP outlined that, in the event of an infringement of Article 12(1) of the GDPR, pursuant to Article 58(2)(i) and Article 83(5) GDPR, read in conjunction with Article 14(3) of the Dutch General Data Protection Regulation (Implementation) Act (Uitvoeringswet Algemene verordening gegevensbescherming), it is authorised to impose an administrative fine on TikTok Inc. of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding business year, whichever is higher.
The AP has adopted the Administrative Rules on Penalties 2019 (Beleidsregels bestuurlijke boetes 2019) in order to implement the power to impose an administrative fine, which includes determining the amount of the fine. In Annex 2, the infringement of Article 12(1) of the GDPR is classified into category III, for which the penalty range is €300,000 to €750,000 and the applicable base fine is €525,000.
The AP increased the basic amount of the fine pursuant to Article 7 (a) of the Administrative Rules on Penalties 2019 by €225,000 to €750,000, being the maximum of the penalty range in that category. It did so in light of the gravity and duration of the breach. In particular, the breach affected a large number of data subjects (an indicative study showed that approximately 830,000 Dutch children under the age of 18 were using TikTok at the time of the breach), many of whom are children, i.e. a vulnerable group of persons, who are less aware of the risks of the processing of personal data, as well as their rights in relation to such processing.
The transfer of findings to the Irish Data Protection Authority
The AP announced that it is transferring several other results from its investigation to the Irish DPA (the Data Protection Authority, or DPC), who will complete the investigation into TikTok's practices and take a final decision.
This is because, although TikTok was not established in the EU when the AP initiated its investigation (meaning that, under Article 55(1) GDPR, the AP was competent to decide on the case), TikTok established itself in Ireland on 29 July 2020, meaning that, from this date onwards, under Article 56(1) GDPR, the DPC is competant, and not the AP.
The AP was authorised to assess TikTok's privacy statement, as this infringement occurred between 25 May 2018 to 28 July 2020, meaning that it ended prior TikTok's establishment in Ireland on 29 July 2020.
The AP stated that in its role as a supervisory authority concerned and the requesting authority, will continue to be involved in the finalisation of the case and the realisation of the final decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
TikTok fined for violating children’s privacy Press release/22 July 2021 The Dutch Data Protection Authority (DPA) has imposed a fine of € 750,000 on TikTok for violating the privacy of young children. The information provided by TikTok to Dutch users – many of whom are young children – when installing and using the app was in English and thus not readily understandable. By not offering their privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. This is an infringement of privacy legislation, which is based on the principle that people must always be given a clear idea of what is being done with their personal data. Many children in the Netherlands have TikTok on their phones. Last year the DPA launched an in-depth investigation of the app because of concerns regarding the privacy of children, who are treated as an especially vulnerable category under the law. They are less aware of the consequences of their actions, including the implications of sharing personal data on social media. This is why children are given additional protections under the data protection legislation. Transfer of the TikTok investigation If a company does not have its headquarters in Europe, any EU member state can engage in oversight with regard to its activities. In the case of companies that do have their headquarters in Europe, this responsibility would fall mainly to the country where the headquarters are located. Speaking on this subject, the DPA’s Deputy Chair Monique Verdier remarked, 'We are now transferring several results of our investigation to the Irish Data Protection Commission. Initially TikTok did not have its head office in Europe, and we were able to look into this matter from the Netherlands, but in the course of the our investigation, TikTok established operations in Ireland.' 'From that point on, the DPA was only authorised to assess TikTok's privacy statement because the violation itself had already ended. It is now up to Ireland's Data Protection Commission to finish our investigation and issue a final ruling on the other possible violations of privacy investigated by the DPA.' Measures to stop digital grooming and online bullying In early October of last year, the DPA submitted a report of the findings of its investigation to TikTok. TikTok then implemented a number of changes to make its app safer for children under the age of 16. One remaining issue is that children can still pretend to be older by filling in a different age when creating their account. By doing so they put themselves at greater risk. Changes 'With around 3.5 million users in the Netherlands, TikTok is one of the most popular apps right now,' said Ms Verdier. 'It can be fun to make videos together and see what other people make. But there are also people who are on TikTok for the wrong reasons. People who share videos that are meant to be private, who bully users or engage in grooming behaviour. The DPA welcomes the changes TikTok has made.' More control for parents Parents now also have more control over their child’s account. They can manage their child's privacy settings through their own account and the 'Family Pairing' feature. 'We're happy that parents can now control the privacy settings of their children's account from their own phone,' said Ms Verdier. 'Despite these changes, we would encourage parents to talk regularly with their children about what they do online. Take an interest in the videos they make and talk with them about the way they and other users respond to each other on TikTok.' TikTok has lodged an objection to the fine. Related news News message / 8 May 2020 Dutch Data Protection Authority to investigate TikTok Publicaties Rapport / 22 July 2021DownloadPDFDecision to impose a fine on TikTokDownload