English privacy notice leads to Dutch data protection fine

Out-Law News | 28 Jul 2021 | 4:07 pm | 3 min. read

Chinese social media app TikTok has been fined €750,000 by the Dutch data protection authority, Autoriteit Persoonsgegevens (AP), after its English-language privacy notice was deemed insufficiently clear for children in the Netherlands to understand.

The AP ruled that the privacy notice “failed to provide an adequate explanation of how the app collects, processes and uses personal data”, in breach of data protection law.

The AP’s fine comes after it concluded an investigation into the measures TikTok has in place to protect the privacy of children. The AP presented the findings of its probe to TikTok, spurring the company to make a number of changes to its practices, but the AP has also shared the results of its investigation with Ireland’s Data Protection Commission (DPC) which has the power to take further action against TikTok if it concludes that the company is responsible for other breaches of the General Data Protection Regulation (GDPR).

Walter Andre

Andre Walter

Head of Data Law Solutions, Netherlands

In the course of the AP’s investigations … TikTok settled permanently in Ireland, restricting the scope of the action the AP could take in the Netherlands in relation to the violations it identified

Amsterdam-based data protection law expert Andre Walter of Pinsent Masons, the law firm behind Out-Law, said: “At the time investigations had been started, TikTok had no head office in the EU, which meant supervision over its data protection practices could be carried out from any data protection authority in any EU member state. In the course of the AP’s investigations, however, TikTok settled permanently in Ireland, restricting the scope of the action the AP could take in the Netherlands in relation to the violations it identified. It is now up to the Irish regulator to complete the investigation and make a final judgment on the other possible GDPR violations the AP has uncovered that go beyond the privacy notice.”

Chad Wollen, co-founder of Privacy Experience Agency, which specialises in designing privacy experiences for people, said the DPC would start by looking at TikTok’s practices as they stand today. He highlighted the fact that the company had already made changes since the AP’s investigation started, issuing languages updates to its privacy notice and creating a new summary notice specifically for under-18s.

Chad Wollen

Co-founder, Privacy Experience Agency

When GDPR requirements are reframed around children, the bar is raised considerably on what a ‘good privacy notice’ needs to be

Walter said children’s privacy is a hot topic in Europe and that multiple regulators, as well as bodies such as United Nations, have stepped up their interest in and oversight of business practices in this regard in recent times.

“The UK Information Commissioner’s Office (ICO) has been leading on this topic, publishing an ‘age-appropriate design code’ for online services that has been approved by the UK parliament and which must be implemented by 2 September 2021,” Walter said. “In respect of oversight in the EU, the Irish DPC has the lead. Late last year, it published for consultation fundamentals for a child-oriented approach to data processing. It is expected that these ‘fundamentals’, when finalised, will serve as the ‘EU blueprint’ on this topic.”

“With its draft fundamentals, the Irish DPC highlights, among other things, that the GDPR requires individuals be given certain information about the use of their personal data by organisations processing their data, and that this information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It has stressed that the clarity of this information is particularly required where it is being provided to a child. The DPC also emphasises that organisations should use child-friendly language to explain to children exactly what it is that they are doing with their personal data. Children are often unaware that their personal data is being collected for specific reasons, such as to provide them with customised in-app experiences or advertisements,” he said.

Wollen added: “Most businesses already struggle to make their privacy notices comply with the disclosure requirements of the GDPR. When GDPR requirements are reframed around children, the bar is raised considerably on what a ‘good privacy notice’ needs to be. There is an expectation that organisations look beyond issuing privacy notices in block text format and instead apply new approaches which chunk up text, use more graphics or even video. Some businesses should consider redesigning the user journey for privacy notices to recognise that under-18s need information to be pushed to them, rather than assuming they go find the notice.”

As Walter highlighted the importance of the Irish DPC’s probe to business’ understanding of regulators’ expectations in Europe on processing children’s data online, Wollen said they should be planning and preparing to change their practices as regulators’ expectations on businesses whose services are likely to be accessed by children grows.

“The biggest impact on ways of working is that regulators expect controllers to conduct research with children and parents so their compliance programmes incorporate their wants and concerns,” Wollen said.