TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 19 Feb. 2021 Related reading: BEUC files children's privacy complaint against TikTok


Greetings from Brussels!

Earlier this week the European Consumer Organisation, the BEUC, and 17 of its member organizations filed a complaint against TikTok with the European Commission, as well as with several EU national consumer protection authorities for unfair commercial practices, failure to protect children and violations of their rights under EU law. 

This was a well-coordinated effort on the part of BEUC and its member network. Following months of research, the end complaint is multifaceted in nature. The details of the alleged breaches are supported by two separate reports: one oriented toward consumer protection, and the other focused on the alleged failings of TikTok’s data protection and privacy policies, as well as noncompliance with the GDPR and ePrivacy Directive. The short version of the findings is that the platform’s practices for the processing of users’ data are misleading. Policies do not clearly inform users of the purpose of collection of their personal data and for what legal reason. It is also noted that taken the target audience of teenagers and minors, policies are not articulated in comprehensible or adequate fashion.

BEUC’s motivations are fairly transparent in that they are looking for European authorities at large to conduct a comprehensive investigation into TikTok’s policies and practices. What is also interesting to read is the dual approach of research and analysis from both the EU consumer and data protection law perspectives; clearly, there is an overlap with a common thread of inquiry. The reports have also been shared with the data protection authorities.

Notably, the European Data Protection Board set up a Task Force in June 2020 to best coordinate potential actions and acquire a more detailed overview of TikTok’s processing activities and practices across the EU. We have yet to see any conclusions from that work, as they remain confidential due to the link with ongoing enforcement investigations. That said, independent regulatory complaints in Europe are not new for TikTok. The ICO launched an investigation in their processing of U.K. children’s data in June 2019, which was followed by investigations being launched in May and June 2020, respectively, by the Dutch and Danish DPAs.

A more recent inquiry by the Italian Garante dating from December 2020 led to a "limitation of processing" order applicable as of February 2021. Tiktok committed to implementing measures to ban access to users under the age of 13. The company committed to evaluating the deployment of AI-based systems for age verification purposes. An information campaign will also be launched by the platform to raise awareness to both parents and children regarding the age requirements and registration process with the service. The company, whose main EU legal establishment is in Ireland, has also agreed to enter a dialogue with the Irish DPA on AI age verification tools.

I spoke with Rocco Panetta, Italy's country leader for the IAPP, to get an Italian viewpoint. This is not an isolated action by the Garante. Other social networks subject to requests for information — including Clubhouse, WhatsApp and Instagram — are currently engaged with the Italian DPA. Panetta said this demonstrates the growing body of evidence that there is a change in posture and strategy from the EU DPAs toward social networks. Proof of accountability and compliance is an increasing demand placed on digital companies. Italian competition authorities also levied a fine this week of 7 million euros on Facebook Ireland for failure to implement more clear and transparent notices on the collection and use of personal data, as well as the company’s commercial intentions — corrective provisions that were issued against Facebook back in November 2018.

What is becoming increasingly evident is that unfair and misleading practices in the collection and processing of personal data are becoming a fundamental pillar across both competition and consumer law investigations and actions. The convergence and alignment with data protection law can only lead to increased cooperation across the respective regulatory authorities for more effective enforcement.      


If you want to comment on this post, you need to login.