The Dutch data protection authority has recently fined Tik Tok for privacy violations of children. Tik Tok is a video-sharing app very popular among young children owned by the Chinese company ByteDance.
€750,000 for GDPR privacy violations
The social media app is accused of non-compliance with the GDPR (The General Data Protection Regulation). The app is providing information about its installation and functionality only in English. Therefore, Tik Tok does not provide an adequate explanation in Dutch of how it collects and processes information.
With many young children in the Netherlands having TikTok on their phones, it is a big issue as they tend to be especially vulnerable and less aware of the consequences involved with sharing their data. Therefore, the GDPR provides children with additional protections.
Verdier: 'With about 3.5 million users in the Netherlands, it is one of the most popular apps now. It's also really fun to make videos together and see what others are making.'
'But there are also people with bad intentions on TikTok. Who use the images for unwanted distribution, bullying or grooming, digital children's lures?’
The GDPR contains provisions intended to enhance the protection of children’s personal data. It ensures that children are addressed in plain clear language that they can understand. Transparency and accountability are important where children’s data is concerned, which is especially relevant when accessing online services.
When we refer to a child, we mean anyone under the age of 18. This is in accordance with the UN Convention on the Rights of the Child which defines a child as everyone under 18.
What should the general approach to processing children's personal data be?
The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default.'
This means you must integrate data protection into your processing activities and business practices, from the design stage right through the lifecycle.
However, it is easier to incorporate child-friendly design into a system or product as part of your initial design brief than to try and add it in later. We recommend that you use a Data Protection Impact Assessment (DPIA) to help you with this, to assess and mitigate data protection risks regarding the child.
If you aren’t sure whether your data subjects are children, or what age range they fall into, then you will need to adopt a cautious and risk-based approach. This may mean:
- designing your processing so that it provides sufficient protection for children.
- putting in place proportionate measures to prevent or deter children from providing their personal data.
- taking appropriate actions to enforce any age restrictions you have set; or
- implementing up-front age verification systems.
In conclusion, children have the same rights as adults over their personal data. They are more vulnerable therefore, we should protect their privacy carefully. We put at your disposal our advisory services. Contact us for more information.