Italy warns TikTok about changing its privacy policy

- Advertisement -

TikTok’s attempt to change the legal basis for targeting ads to users in Europe appears to have failed after the Italian data protection authority stepped in and issued a warning about the inadequacy of the law just days before the planned privacy policy change.

- Advertisement -

A user-created video sharing platform has attracted Attention from privacy experts last month when he was quiet disclosed an upcoming change to its Terms for Users in the European Economic Area, the UK and Switzerland, which it says will apply from July 13, from using consent to process user data to display “personalized” ads to a statement of known legal basis. as “legitimate interests” and stating that it will therefore stop asking users for permission to track targeted ads.

- Advertisement -

Privacy experts quickly interrogated whether the switch will pass inspection by the data protection authorities.

The answer – at least in Italy – seems to be no.

- Advertisement -

Writing in Press release after announcing its “formal warning” to TikTok, the Italian authorities, who said they “immediately” began fact-finding after learning of the planned revision of TikTok’s privacy policy, concluded that the planned change in the legal framework is incompatible with the EU directive and with local protection law data that transposed the EU structure.

“Both legal documents expressly state that the consent of data subjects is the only legal basis for “saving information or accessing information already stored in the subscriber’s or user’s terminal equipment,” he warned.

Italy’s DPA has also expressed concern about the risks of TikTok’s targeting of children if it continues to make changes, given old worries about whether it can identify minors using its platform.

Garante stated that it is acting in accordance with the EU Directive on electronic privacy, which applies to tracking technologies and data processed on a terminal device.

The directive allows it to intervene at the national level – rather than escalating concerns to Ireland’s data protection agency, leading to complaints against TikTok that fall under the General Data Protection Regulation (GDPR) as a result of the so-called “one stop shop” mechanism. , which is intended to make compliance easier for businesses (but which critics argue has allowed tech giants to shirk privacy-hostile data processing responsibilities through forum shopping).

The Irish Data Protection Commission (DPC) has two open GDPR investigations into TikTok activities that were launched back in September 2021 (including one focused on data processing of children), but no investigation has resulted in any decisions, public warnings or orders.

Thus, the contrast with the Italian regulator, which is so quick to respond to concerns, looks marked.

In addition to TikTok’s official warning today, the Italian DPA also said it reserves the right to take additional measures, including an urgent procedure, if the platform “does not take a step back.”

Article 66 of the GDPR allows data protection regulators to bypass the standard requirement to escalate concerns to the lead supervisory authority and immediately take temporary measures at the national level (which can be in effect for three months) if they are satisfied that there is an urgent need act for protection. rights and freedoms of data subjects. Thus, there is a mechanism Garante may try to quickly act in accordance with the GDPR, for example, if TikTok does not opt ​​out of the privacy policy switch.

He has already used this mechanism to intervene in case of urgent issues related to the TikTok platform. warning due to inadequate age checks back in 2020, for example, and then ordered TikTok to block users who failed to verify age.

BUT a few months after that TikTok has removed more than half a million accounts in Italy that cannot verify they are not owned by minors.

Now, Italy’s data watchdog has said it has “particular concern” about the platform’s transition to an inadequate legal framework with regards to protecting registered child users, warning: “[T]The difficulties TikTok currently faces in establishing age compliance requirements to access the platform cannot eliminate the risk that “personalized” ads that include inappropriate content will be shown to very young users based on the company’s legitimate interests.”

Therefore, a move was made to formally warn TikTok that the processing of user data based on “legitimate interests” would be “contrary to the current regulatory framework, at least in relation to information stored on users’ devices, and would entail all appropriate consequences, including remedial action and fines,” it states.

While the EU GDPR allows fines that can be as high as 4% of the previous year’s total global turnover for confirmed rule violations, the older Privacy Directive authorizes member state competent authorities to impose “effective, proportionate and dissuasive” fines. (which, in several recent cases, has resulted in some notable fines for the tech giants, some of which exceed $100 million, and even some notable policy rethinking — so complying with EU privacy rules certainly has an impact, even if much more is required).

“The discovery of a violation of the ePrivacy directive allowed the Italian SA to directly and urgently intervene in relation to TikTok, outside the cooperation procedure set out in the GPDR, which would have required the Irish Data Protection Commission to take the lead in the proceedings – since TikTok placed its main EU office in Ireland,” Garante explains in his press release before saying that he does not believe TikTok’s planned privacy policy change will be legal under the GDPR, adding that he has therefore also briefed both the Irish DPC and the European Data Protection Board (EDPB). “for them to consider further action, future action.”

It is unclear what further action may follow.

The DPC may decide to open a new investigation (provided TikTok doesn’t abandon its plan) – although the timeline associated with the Irish regulator’s cross-border/major tech work to date suggests it could be years before it makes a decision. and any enforcement.

Thus, the EDPB could play an important role if the Italian supervisory authority decides to proceed with an urgent procedure under Article 66 of the GDPR and asks it to intervene and take final action against TikTok.

Although the Board rejected such a request from the DPA Hamburg regarding a complaint about the exchange of data between WhatsApp and Facebook, last year he ordered the DPC to “quickly” investigate. And a few months later, the Irish regulator made the final decision as part of a lengthy investigation into transparency. WhatsApp that resulted in a $267 million fine. (Though the connection between the Board’s order and the DPC’s conclusion of a “voluntary” investigation is not entirely clear.)

TikTok and Irish DPC have been contacted for comment on Garantelast intervention.

AT last years, the video-sharing platform has also been scrutinized by regional consumer protection regulators. Fears were expressed in February 2021 a number of agencies, including child safety and marketing. These coordinated consumer protection complaints led to a “formal dialogue” led by the European Commission and, simply last monthRegulators made a number of commitments from TikTok to adjust ad disclosure (no penalties applied at the time).

However, privacy concerns related to the profiling of TikTok users have not been addressed under consumer protection action, which may also explain why the Italian DPA has decided to intervene now.

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox