By: Aastha Bhandari
This article aims to analyse the decision of the Dutch Data Protection Authority, the Autoritiet Persoonsgegevens (hereinafter ‘AP’) concerning the imposition of a substantial fine of 7,50,000 euros on Tiktok Inc. (hereinafter ‘the Company’) for infringement of the data privacy of young children using the app in the Netherlands.
The author argues that this decision does not demonstrate an accurate application of the transparency principle. Thus, the author proposes that there is an imminent need to focus on the standardisation of the presentation and placement of the policies on apps and websites, rather than ending the matter in the language of the script. In this endeavour, the author analyses the presentation and content of cookie settings on the websites of four major organisations in the Netherlands namely: Amazon, H&M, Zara, and KLM Royal Dutch Airlines to explain how the lack of standardisation may pose difficulties for the understanding of the data subject. Finally, the author recommends certain mechanisms to overcome said difficulties and provides concluding remarks.
UNDERSTANDING THE DECISION OF THE AP
In the current case, the AP held that the Company violated Article 12(1) of the General Data Protection Regulation (hereinafter ‘GDPR’) on account of providing its Policy to Dutch children between the period 25 May 2018 to 28 July 2020 in the English language. It was reasoned that since a sizeable number, approximately 8,30,000 of the users of the Company’s app were Dutch children below the age of 18 years, it should have communicated its Policy in the Dutch script instead of English. The AP relied on three pivotal legal grounds under data privacy regulation in the EU to substantiate its findings:
- Article 12(1) read with Recital 58:The significant provision of Article 12(1) mandates that the data controller must communicate information relating to the processing of personal data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”, particularly in the case of children. To supplement this, Recital 58 informs us that since children need certain additional support to understand the purpose of processing, information should be communicated to them in a “clear and plain language that is easily understandable by the child.”
- Article 5(1) read with Recitals 39 and 60: It is significant to note that Article 5(1) enshrines the principle of transparency, together with lawfulness and fairness, as one of the basic principles for the processing of personal data. This is broadly referred to as the transparency principle. Its true meaning can be understood with the help of Recital 60 to the GDPR which states that the principles of fair and transparent processing require that the “data subject be informed of the existence of the processing operation and its purposes.” Further, Recital 39 adds that the communication related to processing the individual’s personal data must be “easily accessible and easy to understand.”
Simply put, the AP demonstrated that the display of the English script instead of the Dutch to the children using the Company’s app did not communicate the reasons for processing of their personal data in a clear and plain language. Hence, the Policy was presented to them in a manner that was not easily understandable by them. However, the Company defended its Policy by stating that there was enough data to show that the children in question could understand the English script by relying on the fact that the Netherlands was ranked among the top three countries in the world in the Education First English Proficiency Index. The AP did not consider this as a valid argument as it opined that the Company should not have presumed that the children would have a good command of the English language at their age. It is in this sense that the AP applied the transparency principle to imply that had the Policy of the Company been communicated to the children in the Dutch script it would have had the effect of enhancing their understanding of the same. At the same time, this decision also implies that a change in the language of the script, that is, from Dutch to English in this case, meets the threshold of “clear and plain language” as prescribed in Article 12(1) of the GDPR.
TAKING COGNISANCE OF THE IMPLICATIONS OF THE CHIDLREN’S CODE OF THE ICO
It must also be noted that the Office of the Information Commissioner of the United Kingdom (hereinafter ‘ICO’) released the Children’s Code of 2020 (hereinafter ‘the Code’).This Code would govern the line of activities that the data controller must follow if they are engaging with children, in light of safeguarding the child’s best interests. This article highlights that the Code defines different requirements for the data controller dealing with children of different age categories. The following is a reproduction of certain portions of the same:
|Age Group (in years)||Recommendations for increasing understanding of the data subject|
|0-5 (pre-literate)||Provide audio or video prompts telling children to leave things as they are or get help from a parent/trusted adult if they try and change any high privacy default settings.|
|6-9 (Core primary school years)||Provide cartoon, video, or audio materials to sit alongside parental resources.|
|10-12 (Transition years)||Allow children to choose between written and video/audio options.|
|13-15 (Early teens)||Allow children to choose between written and video/audio options.|
|16-17 (Approaching adulthood)||Allow children to choose between written and video/audio options.|
A preliminary analysis of Table 1.1 shows that the Code focuses on the categorisation of distinct tools to be made available to different age groups of children, ranging from audio/video to written options. The objective is to help them understand the reasons for the processing of their personal data in the clearest manner. The author submits that it can be inferred that the Code is attempting to meet the threshold of “clear and plain language” through the use of not only a written script of the language but by expanding the ambit of this phrase to include audio and visual tools. Further, this categorisation intends to inform the data controllers that they must use these tools to increase the level of understanding of each specific group in a specific way. This aligns with the Transparency Guidelines which recommend using the “average member of the intended audience as a yardstick” for the purposes of communicating in an intelligible language.
However, the author wishes to highlight that the decision of the AP in the Tiktok Case as well as the implementation of the Code do not meet the bar for effectively enabling the understanding of the data subject. Part 2 of this article heavily analyses the endeavours taken by the AP and the ICO and demonstrates a significant need for an element of standardisation rather than categorisation.
(Aastha is a law undergraduate at O.P Jindal Global University. The author may be contacted via email at email@example.com)