Garante per la protezione dei dati personali (Italy) - 9524194

From GDPRhub
Garante per la protezione dei dati personali - 9524194
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 58(2)(f) GDPR
Article 66(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.01.2021
Published: 22.01.2021
Fine: None
Parties: TikTok
National Case Number/Name: 9524194
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP.it (in IT)
Initial Contributor: n/a

The Italian DPA provisionally orders TikTok to restrict processing of personal data of persons whose age TikTok is not certain of.

English Summary

Facts

A 10 year old person taking part in the “blackout challenge” died.

The “blackout challenge” is an internet phenomenon in which participants film themselves in an autoerotic asphyxiation. This practice is one of the most dangerous and extreme practices of BDSM. Becuase of the carotid sinus reflex, cardiac arrest can occur in certain cases.

Dispute

Are the age verification measures used by TikTok sufficient?

Holding

The Italian DPA imposed an immediate limitation on the processing performed by TikTok with regard to the data of users whose age could not be established with certainty.

Comment

Share your comments here!

Further Resources

Press release by the Italian DPA in IT and EN

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

At today's meeting, attended by Prof. Pasquale Stanzione, chairman, Prof. Ginevra Cerrina Feroni, vice-chairman, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation" - hereinafter, the "Regulation")

HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of the national legislation to the Regulation (EU) 2016/679 (Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018, hereinafter, the "Code");

HAVING REGARD to note no. 47853 of 15 December 2020 - to be deemed to be referred to and reproduced herein in full - whereby the Office, in opening formal proceedings against Tik Tok (hereinafter also "the Company"), alleged that the Company had breached certain provisions of the Regulation, finding, inter alia, that there were serious problems in terms of the correct legal basis applied to the processing of the personal data of its users, the procedures for issuing the information notice, the transfer of data abroad, the data retention period, compliance with the principles of privacy by design and by default and, above all, the forms provided for verifying the age of the users themselves, with clear reference, in particular, to minors

HAVING REGARD to the request for extension submitted by the Company due to the Christmas period and the difficulties created by the ongoing pandemic;

NOTING that, with the acceptance of this request by the Office, the deadline for providing feedback has been extended to 29 January 2021;

NOTED that, in the meantime, in a note dated 22 December 2020, the Data Protection Commission (DPC), the Irish Supervisory Authority, has advised that Tik Tok Ireland may be considered a principal establishment within the meaning of Article 4(16) of the Regulation;

CONSIDERED that recent press articles have reported the death of a 10-year-old girl as a result of emulative practices carried out in relation to her participation in the aforementioned platform and that the registration to the same has not been denied by the Company to date;

CONSIDERING that, in the absence of the feedback requested from Tik Tok in the aforementioned note initiating the proceedings, and therefore of assurances as to the adoption of correct methods for ascertaining the age of members of the platform, and pending the investigations being carried out by the competent judicial authority, it is necessary to adopt every possible measure to protect users on Italian territory;

CONSIDERED, in particular, that the preliminary examination carried out by the Office has revealed serious shortcomings with regard to the methods chosen by the Company to ascertain the age of users;

HAVING REGARD TO

- Article 24(2) of the Charter of Fundamental Rights of the European Union, according to which 'in all actions relating to children, whether taken by public authorities or private institutions, the child's best interests must be a primary consideration';

- recital 38 of the Regulation, according to which children deserve specific protection with regard to their personal data since they may be less aware of the risks, consequences and safeguards, as well as of their rights, especially when, as in the present case, the collection of children's personal data takes place when using services provided directly to them;

- Article 25(1) of the Regulation, which requires the data controller to implement appropriate technical and organisational measures to effectively implement data protection principles in order to meet the requirements of the Regulation and to protect the rights of data subjects;

CONSIDERING therefore that the conditions of necessity and urgency laid down in Article 66 of the Regulation are met in the present case, according to which "in exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism ... immediately adopt provisional measures intended to produce legal effects within its territory with a specified period of validity not exceeding three months";

CONSIDERING, in particular, the need - pending the response requested and subject to further consequent assessment by this Authority - to order, pursuant to Article 58(2)(f), against Tik Tok in its capacity as data controller, the measure of provisional restriction of processing, having to prohibit further processing of the data of users who are on Italian territory, for whom there is no absolute certainty of age and, consequently, of compliance with the provisions linked to the age requirement, with immediate effect from the date of receipt of this measure;

RECALLING that, in the event of failure to comply with the measure ordered by the Garante, the criminal sanction referred to in Article 170 of the Code and the administrative fine provided for in Article 83(5)(e) of the Regulation shall apply;

HAVING REGARD TO the documentation in the files;

HAVING REGARD TO the official documents and the observations made by the Secretary General pursuant to Article 15 of Regulation No 1/2000;

REPORTER Mr Guido Scorza, lawyer;

IN THE LIGHT OF THE FOREGOING, THE SUPERVISOR

a) pursuant to Articles 58(2)(f) and 66(1) of the Regulation, orders Tik Tok to provisionally restrict processing, prohibiting further processing of the data of users who are on Italian territory and for whom there is no absolute certainty as to their age and, consequently, as to compliance with the provisions relating to age requirements;

b) said limitation is ordered, without prejudice to any subsequent assessment, for the time necessary to allow this Authority to receive and examine the feedback requested in the notice of objection cited in the introduction, which is currently indicated as 15 February 2021;

c) the aforementioned limitation shall take immediate effect as from the date of receipt of this provision and subject to any further assessment by the Garante, in accordance with the provisions of the aforementioned Article 66 of the Regulation.

Pursuant to Section 66(1) of the Regulation, the supervisory authorities concerned, the European Data Protection Board and the European Commission shall be promptly informed of this provision.

Pursuant to Article 78 of the Regulation, as well as to Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this measure may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place where the data controller resides, within thirty days of the date of communication of the measure, or sixty days if the applicant resides abroad.

Rome, 22 January 2021