Out-Law News | 28 Jul 2021 | 4:07 pm | 3 min. read
The AP ruled that the privacy notice “failed to provide an adequate explanation of how the app collects, processes and uses personal data”, in breach of data protection law.
The AP’s fine comes after it concluded an investigation into the measures TikTok has in place to protect the privacy of children. The AP presented the findings of its probe to TikTok, spurring the company to make a number of changes to its practices, but the AP has also shared the results of its investigation with Ireland’s Data Protection Commission (DPC) which has the power to take further action against TikTok if it concludes that the company is responsible for other breaches of the General Data Protection Regulation (GDPR).
Head of Data Law Solutions, Netherlands
In the course of the AP’s investigations … TikTok settled permanently in Ireland, restricting the scope of the action the AP could take in the Netherlands in relation to the violations it identified
Amsterdam-based data protection law expert Andre Walter of Pinsent Masons, the law firm behind Out-Law, said: “At the time investigations had been started, TikTok had no head office in the EU, which meant supervision over its data protection practices could be carried out from any data protection authority in any EU member state. In the course of the AP’s investigations, however, TikTok settled permanently in Ireland, restricting the scope of the action the AP could take in the Netherlands in relation to the violations it identified. It is now up to the Irish regulator to complete the investigation and make a final judgment on the other possible GDPR violations the AP has uncovered that go beyond the privacy notice.”
Chad Wollen, co-founder of Privacy Experience Agency, which specialises in designing privacy experiences for people, said the DPC would start by looking at TikTok’s practices as they stand today. He highlighted the fact that the company had already made changes since the AP’s investigation started, issuing languages updates to its privacy notice and creating a new summary notice specifically for under-18s.
Co-founder, Privacy Experience Agency
When GDPR requirements are reframed around children, the bar is raised considerably on what a ‘good privacy notice’ needs to be
Walter said children’s privacy is a hot topic in Europe and that multiple regulators, as well as bodies such as United Nations, have stepped up their interest in and oversight of business practices in this regard in recent times.
“The UK Information Commissioner’s Office (ICO) has been leading on this topic, publishing an ‘age-appropriate design code’ for online services that has been approved by the UK parliament and which must be implemented by 2 September 2021,” Walter said. “In respect of oversight in the EU, the Irish DPC has the lead. Late last year, it published for consultation fundamentals for a child-oriented approach to data processing. It is expected that these ‘fundamentals’, when finalised, will serve as the ‘EU blueprint’ on this topic.”
“With its draft fundamentals, the Irish DPC highlights, among other things, that the GDPR requires individuals be given certain information about the use of their personal data by organisations processing their data, and that this information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It has stressed that the clarity of this information is particularly required where it is being provided to a child. The DPC also emphasises that organisations should use child-friendly language to explain to children exactly what it is that they are doing with their personal data. Children are often unaware that their personal data is being collected for specific reasons, such as to provide them with customised in-app experiences or advertisements,” he said.
Wollen added: “Most businesses already struggle to make their privacy notices comply with the disclosure requirements of the GDPR. When GDPR requirements are reframed around children, the bar is raised considerably on what a ‘good privacy notice’ needs to be. There is an expectation that organisations look beyond issuing privacy notices in block text format and instead apply new approaches which chunk up text, use more graphics or even video. Some businesses should consider redesigning the user journey for privacy notices to recognise that under-18s need information to be pushed to them, rather than assuming they go find the notice.”
As Walter highlighted the importance of the Irish DPC’s probe to business’ understanding of regulators’ expectations in Europe on processing children’s data online, Wollen said they should be planning and preparing to change their practices as regulators’ expectations on businesses whose services are likely to be accessed by children grows.
“The biggest impact on ways of working is that regulators expect controllers to conduct research with children and parents so their compliance programmes incorporate their wants and concerns,” Wollen said.
11 Jun 2021
26 May 2021