The Dutch Data Protection Authority (DPA) has imposed a fine of € 750,000 on TikTok, a social media apps very popular amongst young users, for breaching young children’s privacy.
The Dutch Authority noticed that the privacy policy provided by TikTok to Dutch users when setting up and using the app was in English and thus not readily understandable.
By not offering their privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data.
Besides, the Dutch DPA made Tik Tok change some of its setting so that parents could have a better control over their young children’s activities on the social media apps.
However, this decision is not final as according to the Dutch authority’s spoke person, the investigation has now been transferred to the Irish DPA where TikTok has established its EU headquarter during the procedure. For this reason, the Dutch DPA ‘s decision was limited to GDPR breaches stemming from the TikTok information notice and, which ended before TikTok settled its new EU establishment in Ireland.
Even though, TikTok has already appealed the Dutch DPA decision, it is now for the Irish Authority to follow up by finalising the investigation and issuing an additional ruling regarding other potential TikTok’s GDPR breaches.
The Dutch DPA issued a €750,000 fine and required the implementation of new measures to stop digital grooming, online bullying and provide more parental control
Following its investigation, the DPA submitted a report of its findings to TikTok in October 2020. In particular, the Dutch Authority had noticed that the privacy policy provided by TikTok to Dutch users was in English and thus not readily understandable. Indeed, by not offering its privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data.
It resulted in TikTok implementing a number of changes to make its app safer for children under the age of 16.
For example, Parents now also have more control over their child’s account. They can manage their child’s privacy settings through their own account and the ‘Family Pairing’ feature.
Nonetheless, the Dutch DPA pointed out that one of the main remaining issue is that children can still pretend to be older by indicating a different age from their own when creating their TikTok account but, it did not specify how to address this issue.
Despite the changes made by TikTok to its setting to better protects children under 16, the Dutch Data Protection Authority (DPA) has imposed a fine of € 750,000 on TikTok.
Although TikTok has appealed the decision, we expect another fine to be issued by the Irish Authority.
The Dutch DPA transferred the TikTok investigation’s findings to the Irish DPA for future ruling on other potential GDPR breaches
Until recently, TikTok did not have any establishment located within the European Union. As a result, any EU Data Protection Authority of a Member State in which TikTok operated could engage in investigation without being subject to the consistency procedure/one stop shop procedure.
However, in the course of the investigation, TikTok decided to set up an establishment in Ireland for its operations in the EU. It resulted in the Irish Data Protection Authority to become the lead supervisory authority. Therefore, the Dutch DPA had to transfer the findings of its investigation so that the Irish Authority could take the lead.
Nonetheless, it did not prevent the Dutch authority from issuing a fine as according to the DPA’s Deputy Chair Monique Verdier “From that point on, the Dutch DPA was only authorised to assess TikTok’s privacy statement because the violation itself had already ended. It is now up to Ireland’s Data Protection Commission to finish our investigation and issue a final ruling on the other possible violations of privacy investigated by the DPA.’
For any question, contact Arnaud Blanc, French lawyer and privacy expert.
This post is also available in fr_FR.