Introduction:
Tiktok, the Chinese social media app, is once again under fire for possible GDPR violations. Dhe European Data Protection Board (Indeed, EDPB) has determined that the app is in violation of the GDPR given that it processes data on teens and children and does not provide the necessary transparency as to how and why it processes that data.
TapTok and minors
The biggest pain point around TikTok has always been the fact that so many minors use the app, even children under 13 are clearly active on the app.
People have been asking for years whether stricter measures should not be taken to restrict app access. In this regard, many users in 2021 also began to question whether TikTok’s practices were not Manifestly against the provisions of the GDPR. Because, on the one hand, there was no solid method of age verification for users under 13 available and, on the other hand, this was not provided for in the provisions for children’s data processing in the privacy policy.
EDPB Takes Important Decision on GDPR Dispute Resolution
Specifically, the objections concerned whether there was a breach of data protection by design and default with respect to age verification and whether there was a breach of fairness with respect to certain design practices.
The case was being investigated by the Irish Data Protection Authority, home of the company’s European headquarters. However, the Irish Data Protection Authority could not reach a final decision after facing opposition from the data protection authorities of other EU member states which led to the case being referred to the EDPB.
The EDPB finally adopted a dispute resolution decision in August this year based on Article 65 of the GDPR.
EDPB’s Binding Decision in TikTok Case Influences Fine and Compliance
The binding decision addresses legal questions arising from objections to the Irish Data Protection Authority’s draft decision as lead supervisory authority regarding TikTok. The EDPB’s binding decision ensures the correct and consistent application of the GDPR by national data protection authorities.
The decision of the EDPB means that the Irish Data Protection Authority will now have to deliberate and impose a fine on the company and also define the compliance measures it must take. Ireland’s Data Protection Commission has until September to issue the final penalty and possible measures. The size and details of the fine are unknown at this time.
Review of Privacy Issues
This is not the first time Tiktok has been penalized for processing children’s data. In April this year, TikTok was fined €14.7 million by the U.K. Data Protection Authority for illegally processing children’s data, one of the largest penalties of its kind.
Also in 2021, Tiktok was already fined €750,000 by the Dutch Personal Data Authority for failing to protect the privacy of Dutch children by not having a privacy policy in their native language.
A step in the right direction
Tiktok does take the necessary steps to become GDPR-compliant. For example, it recently unveiled plans to comply with the European Union’s new Digital Services Act (DSA). As a result, as a TikTok user, you are going to be able to choose to see a feed of recommended videos and these recommendations will no longer be based on your digital footprint.
Such changes also affect advertisements. European users under 18, for example, will no longer see personalized ads based on their activity. For adult users, provision will be made to disable personalized ads in the settings. In addition, TikTok has introduced an additional content reporting option that allows users to flag illegal content.
Conclusion
It is important for TikTok to increase transparency, both in terms of advertisements, and in terms of processing personal data of minors.