Garante per la protezione dei dati personali (Italy) - 9788429
Garante per la protezione dei dati personali - 9788429 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(3) Directive 2002/58/EC Article 122 d. lgs. 30 giugno 2003, n. 196 (Italian Privacy Code) |
Type: | Investigation |
Outcome: | Other Outcome |
Started: | |
Decided: | 07.07.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 9788429 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
Initial Contributor: | Carloc |
The Italian DPA issued a warning against TikTok for processing cookies without the users' consent under its announced privacy policy update.
English Summary
Facts
Social media platform TikTok (the controller) provided personalized advertising to its users (the data subjects) on the legal basis of consent (Article 6(1)(a) GDPR). In June 2022, the controller announced that a new privacy policy would come into effect on 13 July 2022. Under the new policy, the controller would only serve personalize advertising to users over 18 years of age and on the legal basis of the legitimate interest of the controller (Article 6(1)(f) GDPR). The Italian DPA started an investigation and found that personalized advertisement would likely involve the use of cookies or other tracking mechanisms.
Holding
Regarding the competence of the Italian DPA, it should be noted that the Irish DPA is the lead supervisory authority for the controller’s data processing activities under the GDPR's "one-stop-shop" mechanism. The Italian DPA acknowledged the Irish DPA’s position in its decision. However, the Italian DPA held the ePrivacy Directive to be applicable to the processing of cookies by the controller and held itself competent to enforce the Directive. The DPA referenced Recital 173 GDPR and EDPB Opinion 05/2020[1] on this point.
The DPA held that the controller’s new privacy policy violated Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC). The Article only allows the controller to process cookies and use similar tracking mechanisms with the user’s consent[2]. For this reason, legitimate interest under Article 6(1)(f) GDPR is not a valid legal basis for the processing of cookies. The Italian DPA also held that the controller violated Article 122 of the Italian Privacy Code (d. lgs. 30 giugno 2003, n. 196). Article 122 is a direct transposition of Article 5(3) of the Directive. The violation of the Code constitutes a direct consequence of the violation of the Directive.
The DPA issued a warning against the controller.
Comment
TikTok postponed their privacy policy update after the DPA’s warning. Since the decision was based on the ePrivacy Directive, the DPA’s warning was limited to the storing and gaining of access to cookies. However, the investigation had a broader scope. The DPA highlighted other issues in the announced privacy policy:
• the age verification process in place was lacking;[3]
• the policy used an incorrect notion of legitimate interest;
• the policy did not specify whether the processing involved special categories of data under Article 9 GDPR and whether an exception under Article 9(2) applied;
• targeted advertising by the controller likely involved profiling and automated decision-making activities. It was not clear how the controller would comply with Article 22(2) GDPR;
• the controller failed to provide the DPA with a data protection impact assessment.
The DPA announced that it would further investigate the issues and involve the Irish DPA and the EDPB according to the cooperation procedure under Chapter VII GDPR.
Further Resources
The Italian DPA explained the decision in a press release[4] (Italian only).
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO PRESS RELEASE OF 11 JULY 2022 [doc. web n. 9788429] Provision of 7 July 2022 Record of measures n. 248 of 7 July 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stazione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Fabio Mattei, general secretary; HAVING REGARD to Directive 2002/58 / EC of 12 July 2002, of the European Parliament and of the Council, relating to the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter the "ePrivacy Directive"); HAVING REGARD to Directive 2009/136 / EC of 25 November 2009, of the European Parliament and of the Council, amending Directive 2002/22 / EC on universal service and users' rights in the field of electronic communications networks and services, Directive 2002/58 / EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) no. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection legislation; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation"); GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code"); GIVEN the Opinion of the Working Group Article 29 n. 6/2014 on the concept of legitimate interest of the data controller pursuant to art. 7 of Directive 95/46 / EC); GIVEN the Opinion of the European Committee for the protection of personal data n. 05/2019 on the interrelationships between the e-Privacy directive and the Regulation, with particular regard to the competences, tasks and powers of the data protection authorities; GIVEN the guidelines of the Article 29 Working Group of 6 February 2018, on the automated decision-making process relating to natural persons and on profiling for the purposes of regulation 2016/679, ratified by the European Committee for the protection of personal data on 25 May 2018; GIVEN the guidelines of the European Committee for the protection of personal data n. 8/2020 on targeting of social media users; HAVING REGARD to the documentation on file; HAVING REGARD to the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 of June 28, 2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. The case Starting from June 2022, the social network Tik Tok announced the modification of its privacy policy (available at the link https://www.tiktok.com/legal/new-privacy-policy?lang=it-IT) , communicating to users, also through specific messages, the intention to start, with effect from the following 13 July 2022, an activity of supplying "personalized advertising ... to users aged 18 and over" consisting in showing these "advertisements customized based on your activity on the TikTok app ". The treatment would be based, according to what can be read in the Tik Tok privacy policy on "Information you provide us, Information collected automatically and Information from other sources, in order to show its users" advertisements that may be of interest to them and to connect advertisers with users who may be interested in their products or services ". In the opinion of the platform, such processing of personal data would find its legal basis in the "legitimate interest" referred to in art. 6, par. 1, lett. f) of the Regulations, rather than in the consent of the interested parties. 2. The investigation carried out In view of this proposed change, the Office sent on June 22, 2022, a request for information to TikTok Italy. The request was asked to be able to know: - the legal basis legitimizing the profiling activity and the reasons underlying its choice; - in the event that this was found to be in the "legitimate interest", the assessments carried out by the Company in relation to the so-called triple test as set out by the Court of Justice of the European Union in judgment C 13/16 Rīgas satiksmea; - if a preliminary impact assessment had been carried out, pursuant to art. 35 of the GDPR and, if so, to receive a copy of the same; - the measures adopted in order to verify the age of majority of the user whose data will be processed for purposes of profiled advertising, taking into account the difficulties, hitherto unresolved, in identifying children under the age of 13 and 14 (limit of Italian age pursuant to article 8, par. 1, second paragraph, of the Regulation). TikTok provided feedback on June 30, 2022, preliminarily representing, as regards the legal basis chosen to provide personalized advertising, to process two different categories of user data: 1) data obtainable from activities on TikTok: information collected directly from the user's actions on the platform; 2) data obtainable from activities outside of TikTok: information received from external partners operating in the advertising, measurement and data sector, obtained from the user's activity carried out outside the platform. The Company therefore specified that these treatments have already been carried out by TikTok and are still carried out on the basis of the consent of the interested parties, pursuant to art. 6, par. 1, letter a), of the Regulation. Starting from July 13th, the same treatments to show personalized ads based on the data taken from the "Activity on TikTok" - only for users over the age of 18 - would find the legal basis in the "legitimate interests pursued by TikTok, by its advertising partners and its users pursuant to art. 6, paragraph 1, letter f), of the GDPR ". The Company affirms that it has carried out all relevant assessments in accordance with the Regulation, including an impact analysis, considering: "(i) whether the processing of data about the activities of TikTok pursues the legitimate interests of TikTok, its business partners and of its users; (ii) if such legitimate interests do not prevail over the interests or fundamental rights and freedoms of the data subjects ". Following this test, TikTok concluded that the balance is satisfied for the following reasons: (i) the processing is clearly explained to users; (ii) the processing is unlikely to negatively impact users or cause them harm; (iii) users under the age of 18 are excluded from treatment; (iv) TikTok facilitates the exercise of the rights of data subjects through different functions and settings of the platform. On the other hand, as regards the legal basis for "Activities outside TikTok", there would be no change, so the social network will continue to be based on the user's consent pursuant to art. 6, par. 1 letter a), of the GDPR. TikTok then highlighted the information provided to users regarding the change in the legal basis, recalling that it has published an updated privacy policy that will come into force on 13 July. In addition, users were informed of the privacy policy updates via a pop-up in the TikTok app. Finally, as regards the exercise of the rights of the data subject, the section relating to the legitimate interests of the privacy policy informs users of their right to object pursuant to art. 21 of the GDPR upon receipt of personalized advertising. In response to the request on measures to verify the age of users, the platform, after having remembered that the modification of the legal basis for the processing of data regarding the "Activity on TikTok" in order to provide personalized advertising, applies only to users aged 18 and over, stressed that they have adopted technical and human processes and procedures to verify the age of users. In addition, the platform ensured that it has ongoing collaboration with industry experts and the Irish authority (as TikTok's lead regulator) to develop and identify innovative ways to further improve age verification measures. in order to successfully balance the rights and interests of users. 3. Legal considerations and assessments of the Authority 3.1. The criticalities emerged In the first place, the platform's approach to the issue of the legal basis cannot be overlooked which is rather vague and bent on the various needs emerging from time to time. For example, in the long story relating to the processing of data of minors under the age of 13 that led the Guarantor to order the urgent blocking of treatments in Italy by the platform, the latter has always supported the applicability for minors of the legal basis of the contract, referring instead to the consent for the administration of targeted advertising to people over the age of 16. Now we intend to modify this legal basis, for the treatments originated on the platform, invoking the reference to the legitimate interest, as if the choice of the legal basis were not a consubstantial presupposition of the data processing, but only represented a casual use of the best option of selectable from time to time by the owner. With regard to the contents of the response provided by TikTok, then, it must first be noted that the method of carrying out personalized advertising activities based on the direct collection of data relating to the user's actions on the platform nor the legitimizing legal basis has not been sufficiently represented. the processing of the data in question. In particular: • the legitimate interest pursued by the owner and by third parties (the advertising partners) as well as "by the users themselves" has not been specified; • it has not been specified whether the processing also concerns data of a particular nature and which, in this case, is the exception provided for by art. 9, par. 2, of the Regulation which could justify it; • the balancing test is indicated in a generic way and insufficient to allow an adequate assessment of its correctness in light of the criteria provided by the jurisprudence of the Court of Justice of the European Union. Moreover, "the mere fulfillment of information duties pursuant to art. 13 of the GDPR - mentioned in the first point of the balancing test - does not constitute a transparency measure to be taken into consideration for the weighting of interests in accordance with art. 6, paragraph 1, lett. f) of the GDPR1 "; therefore the statement that the balancing test is satisfied for this treatment does not seem adequately argued; • the impact assessment that TikTok claims to have conducted by consulting its DPO was not provided, despite an explicit request from the Office; • the age verification measures were not represented even in general and TikTok limited itself to referring generically to the fact that it is collaborating with industry experts and with the Irish authority; • the results produced so far by the mechanisms put in place by Tik Tok for verifying the user's age do not seem able to exclude that personalized advertising may be aimed at minors under the age of 18, and even at minors under the age of 14, which represent a basin where the platform is very popular. Furthermore, the following elements result from the information: - operations for the purpose of "personalization" of advertising are carried out with a high degree of probability, which likely involve the use of cookies or other tracking techniques (including third parties); - profiling operations are carried out with a high degree of probability, which also involve automated decision-making processes pursuant to art. 22 of the Regulation in the absence of the foreseen guarantees; - in the information, the right to object is not adequately highlighted, it is cited generically at the end of the text without any direct connection with the personalized advertising activity. In the absence of elements on these points, having regard to other similar business models, it appears highly probable that data of a particular nature will also be processed, which can be deduced from the user's behavior on the platform (choice of readings, videos, characters, etc.) and furthermore, that the processing is carried out in a totally automated form. These are profiles that the Authority is investigating and in relation to which it intends to report to the Irish SA and the European Data Protection Committee the opportunity to evaluate an urgent intervention in the context of the cooperation procedures provided for by the Regulation. 3.2. The application of the e-privacy directive Regardless of the foregoing, in any case, it is clear from the information (see version intended to come into force on 13 July) that TikTok, among others, intends to use, on the basis of legitimate interest, "information collected automatically" or, always in accordance with the provisions of the same information "device information ... which includes the model of your device, the operating system, the typing patterns or rhythms, the IP address and the system language ... as well as information relating to the service, the diagnostics and performance, including crash reports and performance logs "and, again," information about your location ... based on your technical information (including SIM card and IP address) and, if the user enables location services for the TikTok app, “approximate location information from your device”. The same disclosure also refers that Tik Tok collects and uses “cookies and similar tracking technologies to manage and provide [you] and our services. For example we use cookies to remember your language preferences, to make sure you don't see the same video more than once and for security reasons. We also use these technologies for marketing purposes. " Pursuant to art. 5, par. 3 of Directive 2002/58 / EC, for "the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user", the consent of the interested party is required. The wording of this article is broad enough to include a variety of services, since it refers to the operation subject to the need for consent ("retention of information or access to information already stored") and not to the specific applications that need the information stored in the user terminals. Profiling cookies can also be used only after obtaining the consent, however informed, of the contractor or user. And this on the basis of the law still applicable to the case, namely art. 122 of the Code, already mentioned, pursuant to which "1. The storage of information in the terminal equipment of a contractor or a user or access to information already stored is only permitted on condition that the contractor or user has given his consent after being informed in a simplified manner. This provision was introduced into national law following the transposition of the ePrivacy Directive no. 2002/58 / EC, preliminary with respect to the date of application of the Regulation and also, like the rules of domestic law that implement it, still applicable to the specific sector concerning the processing of data carried out in the field of electronic communications (see ., in this regard, recital 173 of the Regulation according to which "This regulation should apply to all aspects relating to the protection of fundamental rights and freedoms with regard to the processing of personal data that do not fall under specific obligations, having the same objective, referred to in Directive 2002/58 / EC of the European Parliament and of the Council ... ", as well as art. 2, letter l), of the framework directive 2002/21 / EC which also includes the ePrivacy directive in the category of" particular directives "). The regulatory framework illustrated above makes it possible to exclude that legitimate interest may represent a suitable legal basis at least for the processing, for the purpose of sending personalized advertising, of all personal data that in the Tik Tok information are defined as "information collected automatically ”And, therefore, to deem unlawful, at least partially, regardless of any further and subsequent investigation, the processing of personal data of users that Tik Tok intends to undertake starting from next July 13th. Nor, in relation to the processing of the aforementioned information stored on users' devices, is it legitimate to doubt the application of the ePrivacy Directive no. 2002/58 / EC and, consequently, of the direct and exclusive competence of the Guarantor, since the cooperation mechanism provided for by art. 60 and following of the Regulation. 3.3. The legitimate interest in the Regulation The reference to legitimate interest, in the case proposed by Tik Tok, however, appears problematic also with regard to the provisions of the Regulation. In the first place, from a purely methodological point of view, there is no evaluation in terms of positive elements, by TikTok, in relation to the circumstances that would induce the data controller to modify the previous structure relating to the legal basis even in the absence of substantial changes on the overall methods of treatment. This proves to consider the choice of TikTok as purely instrumental to the pursuit of its objectives, where the legitimacy of the treatments appears only to be a boundary element, which can be molded according to needs. Again in general terms, any use of the legal basis of legitimate interest should be viewed with extreme caution, as a preliminary and documented (also for the purpose of respecting accountability) weighting of the interests at stake is necessary. On this point, the WP29 Guidelines ("on the automated decision-making process relating to natural persons and on profiling for the purposes of regulation 2016/679" of 6 February 2018) indicate a series of elements that must be taken into account, in the context of the necessary balancing test (degree of detail and granularity of the profile, completeness of the same, impact on the data subject, presence of guarantees aimed at ensuring correctness and maintaining the accuracy of the treatment as well as preventing discrimination). The owner should also take into account the future use or subsequent possible combinations of profiles in order to consider the "soundness of the system underlying the treatment" carried out on this assumption. It must also be considered that the previous opinion of WP29 on the concept of legitimate interest (Opinion 06/2014), albeit based on art. 7 of the repealed Directive 95/46 / EC, considered it difficult for the data controller to justify the use of legitimate interest as a legitimate basis for intrusive profiling and tracking practices for marketing or advertising purposes. Dirimente must then be considered what has already been clarified by WP29, or that the legitimate interest of the data controller cannot make profiling lawful if the treatment, as it would appear to be that carried out by Tik Tok in the case in question, falls within the definition referred to in art. . 22, par. 1 of the Regulation. The application of the legal basis of the legitimate interest inevitably presupposes the prevalence in concrete (based on a balance given to the owner, but always assessable by the Supervisory Authority) of the latter over the rights, freedoms and mere interests of the interested parties; prevalence that, in the case of Tik tok, does not seem to be able to be recognized. Moreover, “the data controller cannot…. retroactively resorting to the basis of legitimate interest. Since he has the obligation to communicate [in the information issued to the interested party] the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data was collected "(see guidelines of the Group Art. 29 on consent pursuant to Regulation (EU) 2016/679, 10 April 2018, WP 259 rev.01) and certainly cannot make up for it suddenly - however, since the treatments carried out have remained substantially unchanged - to remedy the failure consent of the interested parties or a consent not validly acquired by the same (see provision of Guarantor January 15, 2020 n.7, web doc. n. 9256486). There is also a very high probability that data of a particular nature will also be processed, which can be deduced from the user's behavior while browsing the platform and in this regard, no information is provided about the possible applicability of one of the hypotheses referred to in art. 9, par. 2, of the Regulation. Finally, in the reply to the Guarantor, TikTok proposes a reference, which can only appear pretext, to the "legitimate interests [...] pursued by its Users" (see page 2, paragraph 2 of the reply) making them in fact coincide or in any case apparently overlapping them with the legitimate interest of the owner. This logical-legal operation appears to be very problematic and unprecedented, if we consider that Opinion no. 6/2014 (WP29 guidelines on legitimate interest), and more generally the regulatory references relating to the concept of legitimate interest, circumscribe this definition to the purposes of the data controller that cannot be generically translated to the data subjects (cf. . Opinion 6/2014, pp. 34 et seq.). Finally, it cannot be ignored that the absence of certain elements for the identification of the person of legal age, also in light of the negative tests that have followed up to now regarding the ability of Tik Tok (like other social networks) to carry out this evaluation, risks involving in the aforementioned activity also persons under the age of 18, but also under the age of 14, for whom the consent of the parental responsibility practitioners would be required and, in the hypothesis also of children under the age of 13, for whom the access to the platform would be completely forbidden. With reference to these additional profiles, however, the Authority will proceed to the necessary investigations also in the context of the envisaged cooperation procedures, reserving, possibly also the adoption of further urgent measures to protect the rights of interested users, in Italia, of TikTok whose personal data are likely to be illegally processed as of July 13th. 4. Conclusions The foregoing leads to the belief that the activity of administering "personalized" commercial advertising by TikTok to adult users, through profiling activities of their behavior within the social network, at least to the extent that it is based, as expressly reported by the company, on the so-called "Information collected automatically" and stored on the users' device cannot legally be based on legitimate interest as this activity is in contrast with art. 5, par. 3 of the e-privacy Directive and art. 122 of the Code. Nor can there be doubts, at least limited to this profile, of the exclusive competence in the matter, for its own territorial scope of reference, of the Guarantor. Therefore, pending the acquisition of any further information, in consideration of the violations detected and the competence of the Guarantor, it is considered necessary to address, pursuant to the combined provisions of art. 58, par. 2, lett. a), of the Regulations and art. 154, paragraph 1, lett. f), of the Code, a warning to Tik Tok, highlighting that the envisaged treatment can probably constitute a violation of the current regulations with the related responsibilities of a treatment based on an incorrect legal basis. The Irish Data Protection Commission and the Personal Data Protection Committee will be informed of this decision to the extent of their interest and competence. This remains without prejudice to the Authority's right to intervene urgently, should the need be identified hereinafter, also pursuant to art. 66 of the Regulation. Finally, it should be noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR a) pursuant to art. 57, par. 1, lett. a) of the Regulations and art. 154, paragraph 1, lett. a) of the Code, notes that the treatment provided by TikTok Italy S.r.l., with registered office in Milan, via Mazzini 9/11 and TiKTok Technology Limited, with registered office in Dublin, c / o Wework Harcourt Road can probably constitute a violation of the regulations in force for violation of the provisions in the terms set out in the motivation; b) pursuant to the combined provisions of art. 58, par. 2, lett. a), of the Regulations and art. 154, paragraph 1, lett. f), of the Code, warns TikTok Italy S.r.l., based in Milan, via Mazzini 9/11 and TiKTok Technology Limited, based in Dublin, c / o Wework Harcourt Road that any processing of personal data subject to the conduct described in the introduction would violate Articles 5, par. 3 of Directive 2002/58 / EC and art. 122 of the Code, with all the consequences, including sanctions, provided for by the regulations on the protection of personal data; c) the Guarantor reserves the right to intervene urgently, should the need arise hereinafter, also pursuant to art. 66 of the Regulation; d) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility. Rome, July 7, 2022 1 See p. 22, point 66, of the "8/2020 Guidelines on targeting social media users" adopted by the EDPB on 13 April 2021. SEE ALSO PRESS RELEASE OF 11 JULY 2022 [doc. web n. 9788429] Provision of 7 July 2022 Record of measures n. 248 of 7 July 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stazione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Fabio Mattei, general secretary; HAVING REGARD to Directive 2002/58 / EC of 12 July 2002, of the European Parliament and of the Council, relating to the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter the "ePrivacy Directive"); HAVING REGARD to Directive 2009/136 / EC of 25 November 2009, of the European Parliament and of the Council, amending Directive 2002/22 / EC on universal service and users' rights in the field of electronic communications networks and services, Directive 2002/58 / EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) no. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection legislation; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation"); GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code"); GIVEN the Opinion of the Working Group Article 29 n. 6/2014 on the concept of legitimate interest of the data controller pursuant to art. 7 of Directive 95/46 / EC); GIVEN the Opinion of the European Committee for the protection of personal data n. 05/2019 on the interrelationships between the e-Privacy directive and the Regulation, with particular regard to the competences, tasks and powers of the data protection authorities; GIVEN the guidelines of the Article 29 Working Group of 6 February 2018, on the automated decision-making process relating to natural persons and on profiling for the purposes of regulation 2016/679, ratified by the European Committee for the protection of personal data on 25 May 2018; GIVEN the guidelines of the European Committee for the protection of personal data n. 8/2020 on targeting of social media users; HAVING REGARD to the documentation on file; HAVING REGARD to the observations of the Office, formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 of June 28, 2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. The case Starting from June 2022, the social network Tik Tok announced the modification of its privacy policy (available at the link https://www.tiktok.com/legal/new-privacy-policy?lang=it-IT) , communicating to users, also through specific messages, the intention to start, with effect from the following 13 July 2022, an activity of supplying "personalized advertising ... to users aged 18 and over" consisting in showing these "advertisements customized based on your activity on the TikTok app ". The treatment would be based, according to what can be read in the Tik Tok privacy policy on "Information you provide us, Information collected automatically and Information from other sources, in order to show its users" advertisements that may be of interest to them and to connect advertisers with users who may be interested in their products or services ". In the opinion of the platform, such processing of personal data would find its legal basis in the "legitimate interest" referred to in art. 6, par. 1, lett. f) of the Regulations, rather than in the consent of the interested parties. 2. The investigation carried out In view of this proposed change, the Office sent on June 22, 2022, a request for information to TikTok Italy. The request was asked to be able to know: - the legal basis legitimizing the profiling activity and the reasons underlying its choice; - in the event that this was found to be in the "legitimate interest", the assessments carried out by the Company in relation to the so-called triple test as set out by the Court of Justice of the European Union in judgment C 13/16 Rīgas satiksmea; - if a preliminary impact assessment had been carried out, pursuant to art. 35 of the GDPR and, if so, to receive a copy of the same; - the measures adopted in order to verify the age of majority of the user whose data will be processed for purposes of profiled advertising, taking into account the difficulties, hitherto unresolved, in identifying children under the age of 13 and 14 (limit of Italian age pursuant to article 8, par. 1, second paragraph, of the Regulation). TikTok provided feedback on June 30, 2022, preliminarily representing, as regards the legal basis chosen to provide personalized advertising, to process two different categories of user data: 1) data obtainable from activities on TikTok: information collected directly from the user's actions on the platform; 2) data obtainable from activities outside of TikTok: information received from external partners operating in the advertising, measurement and data sector, obtained from the user's activity carried out outside the platform. The Company therefore specified that these treatments have already been carried out by TikTok and are still carried out on the basis of the consent of the interested parties, pursuant to art. 6, par. 1, letter a), of the Regulation. Starting from July 13th, the same treatments to show personalized ads based on the data taken from the "Activity on TikTok" - only for users over the age of 18 - would find the legal basis in the "legitimate interests pursued by TikTok, by its advertising partners and its users pursuant to art. 6, paragraph 1, letter f), of the GDPR ". The Company states that it has carried out all relevant assessments in accordance with the Regulation, including an impact analysis, considering: "(i) whether the processing of data about the activities of TikTok pursues the legitimate interests of TikTok, its business partners and of its users; (ii) if such legitimate interests do not prevail over the interests or fundamental rights and freedoms of the data subjects ". Following this test, TikTok concluded that the balance is satisfied for the following reasons: (i) the processing is clearly explained to users; (ii) the processing is unlikely to negatively impact users or cause them harm; (iii) users under the age of 18 are excluded from treatment; (iv) TikTok facilitates the exercise of the rights of data subjects through different functions and settings of the platform. On the other hand, as regards the legal basis for "Activities outside TikTok", there would be no change, so the social network will continue to be based on the user's consent pursuant to art. 6, par. 1 letter a), of the GDPR. TikTok then highlighted the information provided to users regarding the change in the legal basis, recalling that it has published an updated privacy policy that will come into force on 13 July. In addition, users were informed of the privacy policy updates via a pop-up in the TikTok app. Finally, as regards the exercise of the rights of the data subject, the section relating to the legitimate interests of the privacy policy informs users of their right to object pursuant to art. 21 of the GDPR upon receipt of personalized advertising. In response to the request on measures to verify the age of users, the platform, after having remembered that the modification of the legal basis for the processing of data regarding the "Activity on TikTok" in order to provide personalized advertising, applies only to users aged 18 and over, stressed that they have adopted technical and human processes and procedures to verify the age of users. In addition, the platform ensured that it has ongoing collaboration with industry experts and the Irish authority (as TikTok's lead regulator) to develop and identify innovative ways to further improve age verification measures. in order to successfully balance the rights and interests of users. 3. Legal considerations and assessments of the Authority 3.1. The criticalities emerged In the first place, the platform's approach to the issue of the legal basis cannot be overlooked which is rather vague and bent on the various needs emerging from time to time. For example, in the long story relating to the processing of data of minors under the age of 13 that led the Guarantor to order the urgent blocking of treatments in Italy by the platform, the latter has always supported the applicability for minors of the legal basis of the contract, referring instead to the consent for the administration of targeted advertising to people over the age of 16. Now we intend to modify this legal basis, for the treatments originated on the platform, invoking the reference to the legitimate interest, as if the choice of the legal basis were not a consubstantial presupposition of the data processing, but only represented a casual use of the best option of selectable from time to time by the owner. With regard to the contents of the response provided by TikTok, then, it must first be noted that the method of carrying out personalized advertising activities based on the direct collection of data relating to the user's actions on the platform nor the legitimizing legal basis has not been sufficiently represented. the processing of the data in question. In particular: • the legitimate interest pursued by the owner and by third parties (advertising partners) as well as "by the users themselves" has not been made explicit; • it has not been specified whether the processing also concerns data of a particular nature and which, in this case, is the exception provided for by art. 9, par. 2, of the Regulation which could justify it; • the balancing test is indicated in a generic way and insufficient to allow an adequate assessment of its correctness in light of the criteria provided by the jurisprudence of the Court of Justice of the European Union. Moreover, "the mere fulfillment of information duties pursuant to art. 13 of the GDPR - mentioned in the first point of the balancing test - does not constitute a transparency measure to be taken into consideration for the weighting of interests in accordance with art. 6, paragraph 1, lett. f) of the GDPR1 "; therefore the statement that the balancing test is satisfied for this treatment does not seem adequately argued; • the impact assessment that TikTok claims to have conducted by consulting its DPO was not provided, despite an explicit request from the Office; • age verification measures were not represented even in general and TikTok limited itself to referring generically to the fact that it is collaborating with industry experts and with the Irish authority; • the results produced so far by the mechanisms put in place by Tik Tok for verifying the user's age do not seem able to exclude that personalized advertising may be aimed at minors under the age of 18, and even at minors under the age of 14, which represent a basin where the platform is very popular. Furthermore, the following elements result from the information: - operations are carried out with a high degree of probability for the purpose of "personalization" of advertising which most likely involve the use of cookies or other tracking techniques (including third parties); - profiling operations are carried out with a high degree of probability, which also involve automated decision-making processes pursuant to art. 22 of the Regulation in the absence of the foreseen guarantees; - in the information, the right to object is not adequately highlighted, it is cited generically at the end of the text without any direct connection with the personalized advertising activity. In the absence of elements on these points, having regard to other similar business models, it appears highly probable that data of a particular nature will also be processed, which can be deduced from the user's behavior on the platform (choice of readings, videos, characters, etc.) and furthermore, that the processing is carried out in a totally automated form. These are profiles that the Authority is investigating and in relation to which it intends to report to the Irish SA and the European Data Protection Committee the opportunity to evaluate an urgent intervention in the context of the cooperation procedures provided for by the Regulation. 3.2. The application of the e-privacy directive Regardless of the foregoing, in any case, it is clear from the information (see version intended to come into force on 13 July) that TikTok, among others, intends to use, on the basis of legitimate interest, "information collected automatically" or, always in accordance with the provisions of the same information "device information ... which includes the model of your device, the operating system, the typing patterns or rhythms, the IP address and the system language ... as well as information relating to the service, the diagnostics and performance, including crash reports and performance logs "and, again," information about your location ... based on your technical information (including SIM card and IP address) and, if the user enables location services for the TikTok app, “approximate location information from your device”. The same disclosure also refers that Tik Tok collects and uses “cookies and similar tracking technologies to manage and provide [you] and our services. For example we use cookies to remember your language preferences, to make sure you don't see the same video more than once and for security reasons. We also use these technologies for marketing purposes. " Pursuant to art. 5, par. 3 of Directive 2002/58 / EC, for "the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user", the consent of the interested party is required. The wording of this article is broad enough to include a variety of services, since it refers to the operation subject to the need for consent ("retention of information or access to information already stored") and not to the specific applications that need the information stored in the user terminals. Profiling cookies can also be used only after obtaining the consent, however informed, of the contractor or user. And this on the basis of the law still applicable to the case, namely art. 122 of the Code, already mentioned, pursuant to which "1. The storage of information in the terminal equipment of a contractor or a user or access to information already stored is only permitted on condition that the contractor or user has given his consent after being informed in a simplified manner. This provision was introduced into national law following the transposition of the ePrivacy Directive no. 2002/58 / EC, preliminary with respect to the date of application of the Regulation and also, like the rules of domestic law that implement it, still applicable to the specific sector concerning the processing of data carried out in the field of electronic communications (see ., in this regard, recital 173 of the Regulation according to which "This regulation should apply to all aspects relating to the protection of fundamental rights and freedoms with regard to the processing of personal data that do not fall under specific obligations, having the same objective, referred to in Directive 2002/58 / EC of the European Parliament and of the Council ... ", as well as art. 2, letter l), of the framework directive 2002/21 / EC which also includes the ePrivacy directive in the category of" particular directives "). The regulatory framework illustrated above makes it possible to exclude that legitimate interest may represent a suitable legal basis at least for the processing, for the purpose of sending personalized advertising, of all personal data that in the Tik Tok information are defined as "information collected automatically ”And, therefore, to deem unlawful, at least partially, regardless of any further and subsequent investigation, the processing of personal data of users that Tik Tok intends to undertake starting from next July 13th. Nor, in relation to the processing of the aforementioned information stored on users' devices, is it legitimate to doubt the application of the ePrivacy Directive no. 2002/58 / EC and, consequently, of the direct and exclusive competence of the Guarantor, since the cooperation mechanism provided for by art. 60 and following of the Regulation. 3.3. The legitimate interest in the Regulation The reference to legitimate interest, in the case proposed by Tik Tok, however, appears problematic also with regard to the provisions of the Regulation. In the first place, from a purely methodological point of view, there is no evaluation in terms of positive elements, by TikTok, in relation to the circumstances that would induce the data controller to modify the previous structure relating to the legal basis even in the absence of substantial changes on the overall methods of treatment. This proves to consider the choice of TikTok as purely instrumental to the pursuit of its objectives, where the legitimacy of the treatments appears only to be a boundary element, which can be molded according to needs. Again in general terms, any use of the legal basis of legitimate interest should be viewed with extreme caution, as a preliminary and documented (also for the purpose of respecting accountability) weighting of the interests at stake is necessary. On this point, the WP29 Guidelines ("on the automated decision-making process relating to natural persons and on profiling for the purposes of regulation 2016/679" of 6 February 2018) indicate a series of elements that must be taken into account, in the context of the necessary balancing test (degree of detail and granularity of the profile, completeness of the same, impact on the data subject, presence of guarantees aimed at ensuring correctness and maintaining the accuracy of the treatment as well as preventing discrimination). The owner should also take into account the future use or subsequent possible combinations of profiles in order to consider the "soundness of the system underlying the treatment" carried out on this assumption. It must also be considered that the previous opinion of WP29 on the concept of legitimate interest (Opinion 06/2014), albeit based on art. 7 of the repealed Directive 95/46 / EC, considered it difficult for the data controller to justify the use of legitimate interest as a legitimate basis for intrusive profiling and tracking practices for marketing or advertising purposes. Dirimente must then be considered what has already been clarified by WP29, or that the legitimate interest of the data controller cannot make profiling lawful if the treatment, as it seems to be that carried out by Tik Tok in the case in question, falls within the definition referred to in art. . 22, par. 1 of the Regulation. The application of the legal basis of the legitimate interest inevitably presupposes the prevalence in concrete (based on a balance given to the owner, but always assessable by the Supervisory Authority) of the latter over the rights, freedoms and mere interests of the interested parties; prevalence that, in the case of Tik tok, does not seem to be able to be recognized. Moreover, “the data controller cannot…. retroactively resorting to the basis of legitimate interest. Since he has the obligation to communicate [in the information issued to the interested party] the legitimate basis at the time of the collection of personal data, the data controller must have decided on the legitimate basis before the data is collected "(see guidelines of the Group Art. 29 on consent pursuant to Regulation (EU) 2016/679, 10 April 2018, WP 259 rev.01) and certainly cannot make up for it suddenly - however, since the treatments carried out have remained substantially unchanged - to remedy the failure consent of the interested parties or a consent not validly acquired by the same (see provision of Guarantor January 15, 2020 n.7, web doc. n. 9256486). There is also a very high probability that data of a particular nature will also be processed, which can be deduced from the user's behavior while browsing the platform and in this regard, no information is provided about the possible applicability of one of the hypotheses referred to in art. 9, par. 2, of the Regulation. Finally, in the reply to the Guarantor, TikTok proposes a reference, which can only appear pretext, to the "legitimate interests [...] pursued by its Users" (see page 2, paragraph 2 of the reply) making them in fact coincide or in any case apparently overlapping them with the legitimate interest of the owner. This logical-legal operation appears to be very problematic and unprecedented, if we consider that Opinion no. 6/2014 (WP29 guidelines on legitimate interest), and more generally the regulatory references relating to the concept of legitimate interest, circumscribe this definition to the purposes of the data controller that cannot be generically translated to the data subjects (cf. . Opinion 6/2014, pp. 34 et seq.). Finally, it cannot be ignored that the absence of certain elements for the identification of the adult person, also in light of the negative tests that have followed up to now regarding the ability of Tik Tok (like other social networks) to carry out this evaluation, risks involving in the aforementioned activity also persons under the age of 18, but also under the age of 14, for whom the consent of the parental responsibility practitioners would be required and, in the hypothesis also of children under the age of 13, for whom the access to the platform would be completely forbidden. With reference to these additional profiles, however, the Authority will proceed to the necessary investigations also in the context of the envisaged cooperation procedures, reserving, possibly also the adoption of further urgent measures to protect the rights of interested users, in Italia, of TikTok whose personal data are likely to be illegally processed as of July 13th. 4. Conclusions The foregoing leads to the belief that the activity of administering "personalized" commercial advertising by TikTok to adult users, through profiling activities of their behavior within the social network, at least to the extent that it is based, as expressly reported by the company, on the so-called "Information collected automatically" and stored on the users' device cannot legally be based on legitimate interest as this activity is in contrast with art. 5, par. 3 of the e-privacy Directive and art. 122 of the Code. Nor can there be doubts, at least limited to this profile, of the exclusive competence in the matter, for its own territorial scope of reference, of the Guarantor. Therefore, pending the acquisition of any further information, in consideration of the violations detected and the competence of the Guarantor, it is considered necessary to address, pursuant to the combined provisions of art. 58, par. 2, lett. a), of the Regulations and art. 154, paragraph 1, lett. f), of the Code, a warning to Tik Tok, highlighting that the envisaged treatment can probably constitute a violation of the current regulations with the related responsibilities of a treatment based on an incorrect legal basis. The Irish Data Protection Commission and the Personal Data Protection Committee will be informed of this decision to the extent of their interest and competence. Without prejudice to the right of the Authority to intervene urgently, should the need arise, also pursuant to art. 66 of the Regulation. Finally, it should be noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR a) pursuant to art. 57, par. 1, lett. a) of the Regulations and art. 154, paragraph 1, lett. a) of the Code, notes that the treatment provided by TikTok Italy S.r.l., with registered office in Milan, via Mazzini 9/11 and TiKTok Technology Limited, with registered office in Dublin, c / o Wework Harcourt Road can probably constitute a violation of the regulations in force for violation of the provisions in the terms set out in the motivation; b) pursuant to the combined provisions of art. 58, par. 2, lett. a), of the Regulations and art. 154, paragraph 1, lett. f), of the Code, warns TikTok Italy S.r.l., based in Milan, via Mazzini 9/11 and TiKTok Technology Limited, based in Dublin, c / o Wework Harcourt Road that any processing of personal data subject to the conduct described in the introduction would violate Articles 5, par. 3 of Directive 2002/58 / EC and art. 122 of the Code, with all the consequences, including sanctions, provided for by the regulations on the protection of personal data; c) the Guarantor reserves the right to intervene urgently, should the need arise hereinafter, also pursuant to art. 66 of the Regulation; d) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility. Rome, July 7, 2022 1 See p. 22, point 66, of the "8/2020 Guidelines on targeting social media users" adopted by the EDPB on 13 April 2021.
- ↑ EDPB, 'Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities', 12 March 2019, (available here).
- ↑ Article 5(3) was modified by Directive 2009/136/EC. This summary references the consolidated version of the Directive.
- ↑ The DPA noted that age verification was a known issue with TikTok. Indeed, the Garante had already imposed limitations on the controller three times for this reason.
- ↑ https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9788342