On July 22, 2021, the Dutch Data Protection Authority (“Dutch DPA”) announced that it had imposed a €750,000 fine on TikTok for violating the privacy of young children namely for the company’s alleged lack of transparency.
The fine comes after the Dutch DPA had previously investigated TikTok for alleged children’s privacy violations and submitted a report of its findings to the company in October 2020. In response, TikTok implemented a number of changes to make its app safer for children.
As a result of its investigation, the Dutch DPA found that the notice provided to Dutch users when installing and using the TikTok app was in English and not easily and readily understandable to users, thereby violating the EU General Data Protection Regulation’s (“GDPR’s”) transparency principle.
Article 12 of the GDPR requires controllers to take appropriate measures to provide notice of their data processing activities in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Recital 58 of the GDPR states that transparency is even more important for children, and acknowledges that “children merit specific protection.”
According to the Dutch DPA, a Dutch translation of the notice should have been made available to Dutch users, irrespective of whether Dutch users understand English. The Dutch DPA also found that the information disclosed to users in the app’s privacy notice and pop-up messages was not drafted in intelligible and plain language for children under the age of 16.
Dutch DPA’s Competence
The Dutch DPA was competent to conduct an investigation into TikTok’s privacy practices, as TikTok was not originally established in the European Union. TikTok has since established operations in Ireland, and the Dutch DPA has transferred the case to the Irish Data Protection Commission to finish its investigation and issue a final ruling on other potential privacy infringements investigated by the Dutch DPA.