TikTok falls foul of Italian data protection authority...

On 22.01.21 the Italian data protection authority (Garante per la protezione dei dati personali) ("the Garante") banned TikTok from further processing the data relating to any user ‘whose age could not be established with full certainty so as to ensure compliance with the age-related requirements'.

Two previous issues are reported: First, TikTok had recently notified the Italian regulator that Italy was its main establishment in the E.U.; Second, in December 2020 the Italian regulator had notified TikTok of several infringements "including poor attention to the protection of minors, the easy dodging of the registration ban the company applies to children under 13 years, non-transparent and unclear information provided to users, and default settings falling short of privacy requirements"; and Third, a 13 year-old girl from Palermo is understood to have died.

The circumstances of the girl's very sad and unfortunate death are not clear but it is implied that she was a TikTok user and also that her use of the service was in some way thought to be connected with her death.

The upshot of this is that the Garante took proactive action to order TikTok to cease processing immediately until 15.02.21 "as the Garante plans to conclude its further assessment by that date".

In a blog post in January 2018 I noted that there was a significant lacuna in the implementation of child protection in the GDPR as the requirements for determination of the age of a person were at best unclear and at worst impossible to implement.  It is unfortunate if a child has died as a result of this lacuna being exploited by a data controller.  It is on the other hand encouraging that the Garante appears to be taking the issue very seriously and plans to deal with the matter in the very near term.

Ian Beeby