The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy (Part 1)

By: Aastha Bhandari


(This post is the first of a two part series on the topic – ‘The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy’)

INTRODUCTION

This article aims to analyse the decision of the Dutch Data Protection Authority, the Autoritiet Persoonsgegevens (hereinafter ‘AP’) concerning the imposition of a substantial fine of 7,50,000 euros on Tiktok Inc. (hereinafter ‘the Company’) for infringement of the data privacy of young children using the app in the Netherlands.

This imposition was on account of a failure to inform the children about the processing of their personal data “in an intelligible language.” The AP strongly demonstrated the gap created by the use of the English language in the Company’s Terms of Service and Privacy Policy (hereinafter ‘the Policy’). They maintained that its lack of understanding by children using the application is a violation of the openness and transparency principle in data privacy legislation. Consequently, the AP held that Tiktok failed to adequately explain how the app collects, processes, and uses personal data. Although this was intended to be a step towards enabling data subjects to understand and consent to the processing of their personal data by the data controller, it may not have the required consequences.

The author argues that this decision does not demonstrate an accurate application of the transparency principle. Thus, the author proposes that there is an imminent need to focus on the standardisation of the presentation and placement of the policies on apps and websites, rather than ending the matter in the language of the script. In this endeavour, the author analyses the presentation and content of cookie settings on the websites of four major organisations in the Netherlands namely: Amazon, H&M, Zara, and KLM Royal Dutch Airlines to explain how the lack of standardisation may pose difficulties for the understanding of the data subject. Finally, the author recommends certain mechanisms to overcome said difficulties and provides concluding remarks.

UNDERSTANDING THE DECISION OF THE AP

In the current case, the AP held that the Company violated Article 12(1) of the General Data Protection Regulation (hereinafter ‘GDPR’) on account of providing its Policy to Dutch children between the period 25 May 2018 to 28 July 2020 in the English language. It was reasoned that since a sizeable number, approximately 8,30,000 of the users of the Company’s app were Dutch children below the age of 18 years, it should have communicated its Policy in the Dutch script instead of English. The AP relied on three pivotal legal grounds under data privacy regulation in the EU to substantiate its findings:

  1. Article 12(1) read with Recital 58:The significant provision of Article 12(1) mandates that the data controller must communicate information relating to the processing of personal data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”, particularly in the case of children. To supplement this, Recital 58 informs us that since children need certain additional support to understand the purpose of processing, information should be communicated to them in a “clear and plain language that is easily understandable by the child.”
  2. Article 5(1) read with Recitals 39 and 60: It is significant to note that Article 5(1) enshrines the principle of transparency, together with lawfulness and fairness, as one of the basic principles for the processing of personal data. This is broadly referred to as the transparency principle. Its true meaning can be understood with the help of Recital 60 to the GDPR which states that the principles of fair and transparent processing require that the “data subject be informed of the existence of the processing operation and its purposes.” Further, Recital 39 adds that the communication related to processing the individual’s personal data must be “easily accessible and easy to understand.”
  3. Transparency Guidelines: The Guidelines on Transparency under Regulation (EU) 2016/679 (hereinafter ‘Transparency Guidelines’) provide that the requirement of clear and plain language as mentioned above relates to lesser usage of legalese and technical or specialist terminology. As such, the phraseology, sentence structure, and tone of the Privacy Policy should be such that children can comfortably understand the same.

Simply put, the AP demonstrated that the display of the English script instead of the Dutch to the children using the Company’s app did not communicate the reasons for processing of their personal data in a clear and plain language. Hence, the Policy was presented to them in a manner that was not easily understandable by them. However, the Company defended its Policy by stating that there was enough data to show that the children in question could understand the English script by relying on the fact that the Netherlands was ranked among the top three countries in the world in the Education First English Proficiency Index. The AP did not consider this as a valid argument as it opined that the Company should not have presumed that the children would have a good command of the English language at their age. It is in this sense that the AP applied the transparency principle to imply that had the Policy of the Company been communicated to the children in the Dutch script it would have had the effect of enhancing their understanding of the same. At the same time, this decision also implies that a change in the language of the script, that is, from Dutch to English in this case, meets the threshold of “clear and plain language” as prescribed in Article 12(1) of the GDPR.

TAKING COGNISANCE OF THE IMPLICATIONS OF THE CHIDLREN’S CODE OF THE ICO

It must also be noted that the Office of the Information Commissioner of the United Kingdom (hereinafter ‘ICO’) released the Children’s Code of 2020 (hereinafter ‘the Code’).This Code would govern the line of activities that the data controller must follow if they are engaging with children, in light of safeguarding the child’s best interests. This article highlights that the Code defines different requirements for the data controller dealing with children of different age categories. The following is a reproduction of certain portions of the same:

Age Group (in years) Recommendations for increasing understanding of the data subject
0-5 (pre-literate) Provide audio or video prompts telling children to leave things as they are or get help from a parent/trusted adult if they try and change any high privacy default settings.
6-9 (Core primary school years) Provide cartoon, video, or audio materials to sit alongside parental resources.
10-12 (Transition years) Allow children to choose between written and video/audio options.
13-15 (Early teens) Allow children to choose between written and video/audio options.
16-17 (Approaching adulthood) Allow children to choose between written and video/audio options.

Table 1.1

A preliminary analysis of Table 1.1 shows that the Code focuses on the categorisation of distinct tools to be made available to different age groups of children, ranging from audio/video to written options. The objective is to help them understand the reasons for the processing of their personal data in the clearest manner. The author submits that it can be inferred that the Code is attempting to meet the threshold of “clear and plain language” through the use of not only a written script of the language but by expanding the ambit of this phrase to include audio and visual tools. Further, this categorisation intends to inform the data controllers that they must use these tools to increase the level of understanding of each specific group in a specific way. This aligns with the Transparency Guidelines which recommend using the “average member of the intended audience as a yardstick” for the purposes of communicating in an intelligible language.

However, the author wishes to highlight that the decision of the AP in the Tiktok Case as well as the implementation of the Code do not meet the bar for effectively enabling the understanding of the data subject. Part 2 of this article heavily analyses the endeavours taken by the AP and the ICO and demonstrates a significant need for an element of standardisation rather than categorisation.


(Aastha is a law undergraduate at O.P Jindal Global University. The author may be contacted via email at 19jgls-aastha.b@jgu.edu.in)

Cite as: Aastha Bhandari, ‘The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy (Part 1)’ (The RMLNLU Law Review Blog, 03 April 2022) <https://rmlnlulawreview.com/2022/04/03/transparency-principle/>   date of access

One thought on “The Transparency Principle in Data Privacy: An Analysis of the Autoritiet Persoonsgegevens’s Decision on Tiktok Inc.’s Privacy Policy (Part 1)

  1. Data is considered modern day food.
    The author has intelligently placed the importance of privacy of data and at the same time needless increase of such tightening of privacy by regulatory authority in their zeal to show how much they care for such strict privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s