The Dutch data protection authority (DPA) has imposed a fine of €750,000 on TikTok for violating the privacy of young children. According to a press release by the DPA, the information provided by TikTok to Dutch users – many of whom are young children – when installing and using the app is in English, and therefore not readily understandable. According to the DPA, by not offering their privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. The DPA found this to be an infringement of the existing privacy laws, including the principle that people must be given a clear idea of what is being done with their personal data.
The fine follows an in-depth investigation of the app launched in 2020 by the DPA due to concerns regarding the privacy of children, who are treated as an especially vulnerable category under the law.
In its decision to impose an administrative fine, the DPA highlighted that transparency is an important principle, and is an expression of the principle of fairness with regard to the processing of personal data. In terms of recital 60 of the General Data Protection Regulation (GDPR) of the European Union (EU), fair and transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes. Recital 39 of the GDPR adds that the principle of transparency requires that any information and communication relating to the processing of such personal data be easily accessible and easy to understand, and that plain language be used. Data subjects should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and of how to exercise their rights in relation to such processing.
According to the DPA: “The fact that TikTok Inc. has not provided this information in Dutch to Dutch speaking children under the age of 16 years already means that TikTok infringed Article 12(1) of the GDPR. The requirement of intelligibility requires at least that when the controller addresses data subjects who speak another language, it provides a translation into that language to those data subjects. This obligation applies in particular when – as in the present case – it is addressed to (young) children, so that they can easily understand the information.”
In determining the fine to be imposed, the DPA took into account the nature, gravity and duration of the breach; the intentional or negligent character of the infringement; and the action taken by the controller or processor to mitigate the damage suffered by data subjects. In conclusion, the DPA determined that a fine of €750,000 would be “appropriate and necessary” in the present matter, with TikTok being sufficiently able to pay this amount.
The press release is accessible here.
The decision to impose an administrative fine is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].