The Dutch Data Protection Authority has imposed a fine of 750,000 euros on TikTok. The app has violated the privacy of Dutch users by only offering the privacy statement in English.
It concerns a fine for the American TikTok branch, which in turn is part of the Chinese parent company ByteDance. According to the Dutch Data Protection Authority, the app has in any case violated the GDPR since the entry into force of the law. “The AP notes that TikTok Inc. has provided its privacy policy to Dutch users in English only,” writes the privacy supervisor in the fine decision .
The privacy regulator began an investigation into TikTok in May last year . The AP wanted to know what personal data the app collects and processes. The AP therefore describes various conclusions about data collection in the fine decision, but these appear to be in line with the privacy law. It was not known at the time whether the AP was looking for a specific violation.
TikTok is not transparent about collecting user data, the AP says. That has to do with how ‘transparency’ should be defined. The GDPR states that processing operations must be explained to users in ‘understandable form’ and in ‘clear and simple language’. The AP points out that ‘a substantial part’ of Dutch users is younger than sixteen years old. This young target group brings an extra responsibility when it comes to using clear and simple language in all communication. TikTok should have known that those young users wouldn’t understand English well enough to understand exactly what they were agreeing to. In doing so, the app violates Article 12 of the GDPR .
The fine falls within the third category of the AP’s fine policy rules. 750,000 euros is the maximum fine. In determining the fine, the regulator looked in particular at the fact that children were affected, which the AP calls a ‘vulnerable group of people’. “This makes the violation extra serious,” said the regulator. The duration of the violation, namely from 25 May 2018 until now, also makes the violation ‘significant’.
The AP requested comment from the company in October 2020. TikTok did not deny the allegations, but concluded that the AP was not authorized to act against the company because its European office is located in Ireland. The company also points out that several features have been modified or removed for users under the age of 16. For example, since January 2021, such accounts are set to private by default and features such as Duet and Stitch are no longer available to them. The privacy policy will not be available in Dutch until July 29 of this year.
The amount of 750,000 euros is the second highest fine that the AP has handed out in the Netherlands to date. The highest fine to date was for the Credit Registration Office , which had to pay 830,000 euros for asking for money to inspect files.