TikTok is a popular platform used for creating, editing and sharing videos. The app is mainly used by youngsters, mostly under 16s. Users communicate with one another through chats, likes or comments under videos. An algorithm determines which videos the user automatically gets to see on their personal page. TikTok generates revenue through advertising. In May 2020, the Dutch Data Protection Authority ('Dutch DPA') announced that it was conducting an investigation into the popular app's data processing activities. The preliminary results were expected to be published at the end of 2020, but this took longer. The long-awaited decision on a fine for TikTok was published recently. The outcome of the investigation was a EUR 750,000 fine for violation of the obligation to disclose information laid down in Article 12 (1) of the GDPR.
This blog focuses on the principle of transparency (the decision's key section) and the role it plays in the Dutch DPA’s decision to impose a fine. We will also discuss the circumstances of the investigation and the Dutch DPA's competence and other ongoing investigations.
Tip of the iceberg?
It is remarkable that, in its decision, the Dutch DPA only considers the violation of the obligation to disclose information and provide transparency, whereas in an earlier announcement it also mentioned lack of valid consent. This is surprising because TiKTok asks for consent in various situations, whereas valid consent may only be given in the Netherlands from the age of 16 - and TikTok's users are often under 16. There are also concerns about the possible sharing of personal data with, for example, China, without suitable measures being in place, as well as its use of biometric data (used to estimate users’ age) without a valid ground. In addition, TikTok is said to be using profiling in various markets (but not in the Netherlands).
The Dutch DPA is not the only data protection authority in Europe that has started an investigation into TikTok. Earlier this year, the Italian data protection authority imposed a data processing restriction on the video-sharing app after a ten-year old user died, allegedly after imitating a video that had been posted on TikTok. The French and Danish privacy watchdogs also started to investigate the data processing activities of the popular app following several complaints. The Danish data protection authority has now turned over its investigation to the Irish Data Protection Commission (‘Irish DPC’).
On the first page of its decision, the Dutch DPA states that it is going to request the Irish DPC “to complete the investigation". It is unclear at the moment on which grounds the remainder of the Dutch investigation is based, but there is a possibility that the Dutch DPA's fine will not be the last fine for TikTok.
The essence of the violation
Up until July 2020, the app only had a privacy statement in English, whereas TikTok is used by large numbers of youngsters from the age of 6 (!) to 18, and is particularly popular with twelve-year olds. Only disclosing information in English, the Dutch DPA argues, is not appropriate for this age group, and causes violation of Article 12 of the GDPR. Pursuant to that article, communication must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In addition, recital 58 of the GDPR stipulates that children merit specific protection - any information addressed to a child should be in such a clear and plain language that the child can easily understand. According to the Dutch DPA, a text on data processing in English does not meet that requirement.
The transparency principle explained
The transparency principle is a key principle of EU law, and one of the basic principles of processing of personal data: Article 5 (1) (a) of the GDPR stipulates that personal data must be processed lawfully, fairly and in a transparent manner. From this point of view, the data subject must be informed of the existence of the processing operation and its purposes (recital 60 of the GDPR). This obligation therefore forms the link between the transparency principle and the obligation to provide information.
The transparency principle has been clarified by the European Data Protection Board in the Guidelines on Transparency. The Guidelines outline the way in which information must be provided as well as the factors that are relevant to determining whether the information has been provided in an appropriate manner. The following rules are relevant:
- The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience;
- Clear and plain language: the information provided to a data subject should not contain overly legalistic, technical or specialist language or terminology; A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages (subject to certain conditions);
- Children or other vulnerable groups: the vocabulary, tone and style of the language used must be appropriate to and resonate with children.
TikTok is of the opinion that most of the children should be able to understand the English-language documentation, given the general level of command of the English language in the Netherlands. However, the Dutch DPA concludes that TikTok should have carried out more research into the target group and the intelligibility of its documentation in relation to the target group. The Dutch DPA states that it cannot reasonably be argued that the information was also intelligible to children under the age of 16.
The fact that TikTok took additional measures, such as placing pop-ups on the public nature of videos shared in the app, setting up a Help and Safety Centre and providing a Dutch-language summary of the privacy statement does not change the above. Despite the fact that the Dutch DPA recognises that these measures could contribute to the extent of transparency given, pursuant to Article 13 of the GDPR the information on the processing of personal data must be provided to data subjects in advance. Such measures are only relevant at the time the user has already created an account and data processing has already started.
In July 2020, TikTok made available a Dutch-language privacy statement to its Dutch users. From that time, there was no longer a violation of Article 12 of the GDPR given that this document in terms of the language and format used is appropriate to and resonates with Dutch children.
Is the Dutch DPA competent in this case?
In its decision, the Dutch DPA also discusses its competence to enforce the law because TikTok (previously only based in the US) now has a main establishment in Ireland, which would mean that only the Irish DPC would be competent to conduct an investigation within the EU. Pursuant to Article 56 of the GDPR, the supervisory authority of the main establishment, also referred to as the lead supervisory authority, is competent to act for the cross-border processing. This is also known as the one-stop-shop principle.
The Dutch DPA considers that it was competent to act in this case up until the moment that the EU establishment in Ireland was created, on 29 July 2020. This is because in cases where there is no EU establishment, any supervisory authority in any EU member state is competent to enforce the law. As the violation the fine relates to (violation of Article 12 of the GDPR) had already ended prior to TikTok establishing itself in the EU, the creation of its main establishment in Ireland has no consequences for this particular investigation performed by the Dutch DPA. TikTok has lodged an objection to the fine.
TikTok is a popular platform used for creating, editing and sharing videos. The app is mainly used by youngsters, mostly under 16s. Users communicate with one another through chats, likes or comments under videos. An algorithm determines which videos the user automatically gets to see on their personal page. TikTok generates revenue through advertising. In May 2020, the Dutch Data Protection Authority ('Dutch DPA') announced that it was conducting an investigation into the popular app's data processing activities. The preliminary results were expected to be published at the end of 2020, but this took longer. The long-awaited decision on a fine for TikTok was published recently. The outcome of the investigation was a EUR 750,000 fine for violation of the obligation to disclose information laid down in Article 12 (1) of the GDPR.
This blog focuses on the principle of transparency (the decision's key section) and the role it plays in the Dutch DPA’s decision to impose a fine. We will also discuss the circumstances of the investigation and the Dutch DPA's competence and other ongoing investigations.
Tip of the iceberg?
It is remarkable that, in its decision, the Dutch DPA only considers the violation of the obligation to disclose information and provide transparency, whereas in an earlier announcement it also mentioned lack of valid consent. This is surprising because TiKTok asks for consent in various situations, whereas valid consent may only be given in the Netherlands from the age of 16 - and TikTok's users are often under 16. There are also concerns about the possible sharing of personal data with, for example, China, without suitable measures being in place, as well as its use of biometric data (used to estimate users’ age) without a valid ground. In addition, TikTok is said to be using profiling in various markets (but not in the Netherlands).
The Dutch DPA is not the only data protection authority in Europe that has started an investigation into TikTok. Earlier this year, the Italian data protection authority imposed a data processing restriction on the video-sharing app after a ten-year old user died, allegedly after imitating a video that had been posted on TikTok. The French and Danish privacy watchdogs also started to investigate the data processing activities of the popular app following several complaints. The Danish data protection authority has now turned over its investigation to the Irish Data Protection Commission (‘Irish DPC’).
On the first page of its decision, the Dutch DPA states that it is going to request the Irish DPC “to complete the investigation". It is unclear at the moment on which grounds the remainder of the Dutch investigation is based, but there is a possibility that the Dutch DPA's fine will not be the last fine for TikTok.
The essence of the violation
Up until July 2020, the app only had a privacy statement in English, whereas TikTok is used by large numbers of youngsters from the age of 6 (!) to 18, and is particularly popular with twelve-year olds. Only disclosing information in English, the Dutch DPA argues, is not appropriate for this age group, and causes violation of Article 12 of the GDPR. Pursuant to that article, communication must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In addition, recital 58 of the GDPR stipulates that children merit specific protection - any information addressed to a child should be in such a clear and plain language that the child can easily understand. According to the Dutch DPA, a text on data processing in English does not meet that requirement.
The transparency principle explained
The transparency principle is a key principle of EU law, and one of the basic principles of processing of personal data: Article 5 (1) (a) of the GDPR stipulates that personal data must be processed lawfully, fairly and in a transparent manner. From this point of view, the data subject must be informed of the existence of the processing operation and its purposes (recital 60 of the GDPR). This obligation therefore forms the link between the transparency principle and the obligation to provide information.
The transparency principle has been clarified by the European Data Protection Board in the Guidelines on Transparency. The Guidelines outline the way in which information must be provided as well as the factors that are relevant to determining whether the information has been provided in an appropriate manner. The following rules are relevant:
- The requirement that information is “intelligible” means that it should be understood by an average member of the intended audience;
- Clear and plain language: the information provided to a data subject should not contain overly legalistic, technical or specialist language or terminology; A translation in one or more other languages should be provided where the controller targets data subjects speaking those languages (subject to certain conditions);
- Children or other vulnerable groups: the vocabulary, tone and style of the language used must be appropriate to and resonate with children.
TikTok is of the opinion that most of the children should be able to understand the English-language documentation, given the general level of command of the English language in the Netherlands. However, the Dutch DPA concludes that TikTok should have carried out more research into the target group and the intelligibility of its documentation in relation to the target group. The Dutch DPA states that it cannot reasonably be argued that the information was also intelligible to children under the age of 16.
The fact that TikTok took additional measures, such as placing pop-ups on the public nature of videos shared in the app, setting up a Help and Safety Centre and providing a Dutch-language summary of the privacy statement does not change the above. Despite the fact that the Dutch DPA recognises that these measures could contribute to the extent of transparency given, pursuant to Article 13 of the GDPR the information on the processing of personal data must be provided to data subjects in advance. Such measures are only relevant at the time the user has already created an account and data processing has already started.
In July 2020, TikTok made available a Dutch-language privacy statement to its Dutch users. From that time, there was no longer a violation of Article 12 of the GDPR given that this document in terms of the language and format used is appropriate to and resonates with Dutch children.
Is the Dutch DPA competent in this case?
In its decision, the Dutch DPA also discusses its competence to enforce the law because TikTok (previously only based in the US) now has a main establishment in Ireland, which would mean that only the Irish DPC would be competent to conduct an investigation within the EU. Pursuant to Article 56 of the GDPR, the supervisory authority of the main establishment, also referred to as the lead supervisory authority, is competent to act for the cross-border processing. This is also known as the one-stop-shop principle.
The Dutch DPA considers that it was competent to act in this case up until the moment that the EU establishment in Ireland was created, on 29 July 2020. This is because in cases where there is no EU establishment, any supervisory authority in any EU member state is competent to enforce the law. As the violation the fine relates to (violation of Article 12 of the GDPR) had already ended prior to TikTok establishing itself in the EU, the creation of its main establishment in Ireland has no consequences for this particular investigation performed by the Dutch DPA. TikTok has lodged an objection to the fine.