September 21, 2021

Volume XI, Number 264

Advertisement

September 20, 2021

Subscribe to Latest Legal News and Analysis

Dutch DPA Fines TikTok 725,000 EUR for Transparency Violations

On July 22, 2021, the Dutch Data Protection Authority (“Dutch DPA”) announced that it had imposed a €725,000 fine on TikTok for violating the privacy of young children namely for the company’s alleged lack of transparency.

The fine comes after the Dutch DPA had previously investigated TikTok for alleged children’s privacy violations and submitted a report of its findings to the company in October 2020. In response, TikTok implemented a number of changes to make its app safer for children.

As a result of its investigation, the Dutch DPA found that the notice provided to Dutch users when installing and using the TikTok app was in English and not easily and readily understandable to users, thereby violating the EU General Data Protection Regulation’s (“GDPR’s”) transparency principle.

Article 12 of the GDPR requires controllers to take appropriate measures to provide notice of their data processing activities in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Recital 58 of the GDPR states that transparency is even more important for children, and acknowledges that “children merit specific protection.”

According to the Dutch DPA, a Dutch translation of the notice should have been made available to Dutch users, irrespective of whether Dutch users understand English. The Dutch DPA also found that the information disclosed to users in the app’s privacy notice and pop-up messages was not drafted in intelligible and plain language for children under the age of 16.

Dutch DPA’s Competence

The Dutch DPA was competent to conduct an investigation into TikTok’s privacy practices, as TikTok was not originally established in the European Union.  TikTok has since established operations in Ireland, and the Dutch DPA has transferred the case to the Irish Data Protection Commission to finish its investigation and issue a final ruling on other potential privacy infringements investigated by the Dutch DPA.

Read the Dutch DPA’s press release and decision, both available in English.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 209
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement