Garante per la protezione dei dati personali (Italy) - 9574709

From GDPRhub
Garante per la protezione dei dati personali - 9574709
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Article 66(1) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 25.03.2021
Published:
Fine: None
Parties: TikTok
National Case Number/Name: 9574709
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA renewed a temporary limitation to the processing of data of users under the age of 13 by TikTok, and requested the controller to bring processing operations into compliance with the GDPR.

English Summary

Facts

On the 22nd of January 2021 the Garante issued a first decision imposing the limitation of TikTok's processing of personal data related to users under the age of 13. On the 11th of February 2021, the Garante issued a second decision renewing such limitation.

Dispute

In the decision, the Garante presents some findings of its report on the compliance of TikTok with the notification received from the Garante itself. First, according to the authority, the self-certification mechanism implemented by TikTok to verify the age of its users is not sufficient to “significantly limiting the number of users under the age of 13”. Secondly, the message delivered to the media by TikTok did not have the “necessary elements of urgency and alarm” to raise awareness concerning parental liability. Moreover, the additional measures adopted by the social network – such as implementing a new reporting system, increasing the number of Italian moderators and the monitoring of users activities – did not bring any result, according to the Italian DPA.

The Garante was also not satisfied with the deposition presented by TikTok. According to the Supervisory Authority, “an agreement whereby a minor user consents to the processing of his or her personal data in connection with the use of an information society service cannot be considered, under Italian law on the validity of contracts, an "atto comune" (literally “common act”), with the result that the relevant contract cannot be considered validly concluded”. Moreover, the information provided as per Article 13 GDPR were not compliant with the requirements of Article 12 GDPR in light of the fact that TikTok services are factually intended for minors. Finally, the age verification mechanisms did not respect the privacy by design principle.

According to the Garante, these findings confirm the unlawful nature of the data processing, and the persistence of the risks for users in case the processing of data is not suspended. Moreover, TikTok was failing to implement a system to avoid the processing of data of those users who cannot be consumers of the services offered by the social network itself, which is a specific obligation of the controller as per Articles 24 and 25 GDPR, according to the Garante.

Holding

For these reasons, the Garante imposed for a third time a temporary limitation of the processing of data related to users for which TikTok cannot verify the age or “at least their belonging to an age group compatible with the use of services intended for an audience of users over 13-year-olds”.

Secondly, the Italian DPA ordered the controller to implement appropriate measures to block the access to the social network to minors under the age of 13 and minors under the age of 14, “in the absence of the necessary manifestation of will made by the holder of parental responsibility, accompanied by a clear and unequivocal notice automatically activated each time the app in question is opened, highlighting the fact that its use is reserved exclusively for persons over the age of 13, duly authorized by those exercising parental responsibility up to the age of 14 years”.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.


[doc. web n. 9574709]

Provision of 25 March 2021

Record of measures
n. 126 of March 25, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data ("General Data Protection Regulation" - hereinafter, the "Regulations");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the note no. 47853 of 15 December 2020 with which the Office, in opening a formal proceeding against Tik Tok (hereinafter also "the Company"), accused the latter of the alleged violation of some provisions of the Regulation, including 'other, from the point of view of the legal basis for the processing of the personal data of its users, the procedures for issuing the information, the transfer of data abroad, the data retention period, compliance with the principles of privacy by design and by default and, above all, of the forms provided for verifying the personal age of the users themselves with reference, in particular, to minors;

GIVEN the provision n. 20 of 22 January 2021 with which this Authority, also on the basis of the social alarm caused by some dramatic episodes of national news, adopted, as a matter of urgency, against the same Tik Tok the measure of the temporary limitation of treatment, pursuant to art. 58, par. 2, lett. f) and 66, par. 1, of the Regulation, prohibiting any further processing of personal data of users who are on the Italian territory for which it is not possible to verify the age with particular reference to that identified by the same company as the minimum age necessary for the use of the platform ( thirteen years) and that prescribed by the regulations in force for the provision of consent to the processing of personal data (fourteen years);

GIVEN the provision n. 61 of 11 February 2021 with which the Guarantor, pursuant to art. 58, par. 2, lett. f) and 66, par. 1 of the Regulation, given the persistence of the reasons of urgency underlying the previous provision and the insufficiency of the measures implemented up to then by Tik Tok in compliance with the aforementioned provision of 22 January 2021, also in order to verify the effectiveness of the measures adopted in the meantime by the Company has decided to extend the previous provision limiting the processing until March 15, 2021;

DATA, therefore, for recalled and for integrally reproduced here the provisions n. 20 of 22 January 2021 and no. 61 of 11 February 2021;

GIVEN the report on compliance by Tik Tok with the objection prepared by the Office, which shows, in particular, that:

- the system of simple self-declaration of age by users, albeit associated with a new feature as a result of which users who declare an age under the age of thirteen are deprived of the possibility of registering on the platform even if they subsequently declare a older age has proved unsuitable for significantly limiting the number of under-18 users who continue to use the services provided by the platform and to have their personal data processed by the Company;

- the message conveyed by Tik Tok through the media, although it contained references to the age limit to access it, did not appear to have the necessary urgency and alarm characteristics suitable to raise the due attention on the part of the holders of parental responsibility for minors;

- the additional tools that Tik Tok declared to have implemented, including the new reporting forms in the app, the increase of "moderators" in Italian, and the verification of user behavior did not appear to have led to significant results, as also confirmed by certain checks carried out by the Office which have made it possible to ascertain that even if a user only views and actively searches for content clearly of interest to an under-16-year-old public and, indeed, even dedicated to a pre-school age public, the Company does not take any suitable measure to exclude it from the use of its services;

- the Guarantor continued and continues to receive numerous solicitations, reports, requests and requests from civil society in relation to the recurrent presence of minors under the age of thirteen on the platform;

- the memorandum of January 26, 2021 filed by TikTok as part of the merit proceedings promoted by the Guarantor does not contain elements that would allow us to review the conclusions already laid down for the aforementioned urgent measures and this with particular reference:

to the legal basis of the processing that does not seem, unlike what is claimed by the Company, to be identified in the need to process the data of the interested parties for the sole purpose of executing a service requested by them, especially when the users are minors or even infra - thirteen years old and this because an agreement by which a minor user consents to the processing of his personal data - possibly even particular ones - in the face of the use of an information society service cannot be considered, pursuant to the Italian legislation on validity of contracts, a "common deed" with the consequence that the relative contract cannot be considered validly perfected;

to the information to be provided to the interested parties pursuant to art. 13 of the Regulations, which Tik Tok does not seem to render in compliance with the procedures referred to in Article 12 of the Regulations and this also taking into account the fact that the service rendered by the Company is, at least in practice, specifically intended for minors;

to the same privacy by design which cannot be considered respected by the age verification tools adopted: this parameter, moreover, is examined only with reference to the (alleged state of the art on the subject, but not with regard to the nature, scope of application and the purposes of the processing in relation to the risks to the rights and freedoms of individuals, who, in this case, are mainly minors;

CONSIDERING that these observations confirm on the one hand the unlawfulness - within the limits of the possible evaluation in the urgent phase - of the processing of personal data at least of users under the age of thirteen and fourteen, as well as the relevance of the risks of prejudice that could derive from such users in the absence of interruption of any processing of personal data referable to them;

CONSIDERING that, without prejudice to the disputes already addressed to the Company regarding the inadequacy, in the case of underage users, of the identification of the legal basis of the processing in a contract, the identification of suitable measures to exclude, by barring the entrance, at least the processing of personal data of users who, due to their age, cannot be recipients of the services provided by the Company which expressly reserves its services to over-thirteen-year-olds or are unable to validly express consent to the processing for purposes other than 'execution of the contract constitutes a precise and ineliminable duty of the data controller in implementation of the principles of accountability, privacy by design and by default (articles 24 and 25 of the Regulation);

CONSIDERING therefore, in the light of the acquired elements, to have to adopt pursuant to art. 58, par. 2, lett. d) and f), of the Regulations - within the time limits provided for by art. 66, par. 1, of the same - a new emergency measure against Tik Tok, valid in the Italian territory and effective until April 22, 2021,

- ordering the immediate implementation of suitable barrier measures at the entrance to the platform aimed at avoiding access to it by minors under the age of 13 and minors under 14 in the absence of the necessary manifestation of will made by the holder of parental responsibility , accompanied by a clear and unequivocal notice that can be automatically activated at each opening of the app in question that highlights its use reserved exclusively for those over 13 years of age, duly authorized by the parental responsibility operators up to the age of 14;

- imposing the provisional limitation of processing, prohibiting the further processing of personal data of users who are unable to verify their age or, at least, belonging to an age group compatible with the use of services intended for an audience of over-thirteen duly authorized by parental responsibility operators up to the age of 14;

REMEMBER that, in the event of non-compliance with the measure ordered by the Guarantor, the criminal sanction referred to in art. 170 of the Code and the administrative sanctions provided for by art. 83, par. 5, lett. e), of the Regulations;
RESERVED any evaluation regarding any decision to request the European Committee for the protection of personal data, pursuant to art. 66, par. 2, to adopt, always as a matter of urgency, a definitive measure, suitable for eliminating the risks at the origin of the measures already issued by the Guarantor;

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to Article 15 of Regulation No. 1/2000;

REPORTER Attorney Guido Scorza;

WHEREAS, THE GUARANTOR:

a) pursuant to art. 58, par. 2, lett. d) and f) and 66, par. 1 of the Regulation:

1. orders the immediate implementation of suitable barrier measures at the entrance to the platform aimed at preventing access to it by minors under the age of 13 and minors under 14 without the necessary manifestation of will given by the holder of parental responsibility , accompanied by a clear and unequivocal notice that can be automatically activated at each opening of the app in question that highlights its use reserved exclusively for those over 13 years of age, duly authorized by the parental responsibility operators up to the age of 14;

2. imposes the provisional limitation of processing, prohibiting the further processing of personal data of users who are unable to verify their age or, at least, belonging to an age group compatible with the use of services intended to an audience of over-thirteen duly authorized by parental responsibility operators up to the age of 14;

b) this provision has immediate effect from the date of receipt of the same by the holder and ceases its effects on the date of April 22, 2021;

c) orders Tik Tok to transmit to the Guarantor, within the expiry date of this provision, any information useful to allow the evaluation of the effectiveness of the prescribed measures.

Pursuant to art. 66, par 1, of the Regulation, of this provision prompt information is given to the supervisory authorities concerned, to the European Data Protection Committee and to the European Commission.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to this provision may be filed with the ordinary judicial authority, with an appeal filed with the ordinary court within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, March 25, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei