The social network TikTok, which is particularly popular with children and young people, and the French insurance group AG2R La Mondiale are facing sanctions for data protection violations in Europe. The Dutch supervisory authority, the Autoriteit Persoonsgegevens (AP), imposed a fine of 750,000 euros on the operator of the video app, which belongs to the Chinese company ByteDance. AG2R La Mondiale has to pay 1.75 million euros in France.
The AP accuses TikTok of having violated the privacy of children in particular. For a long time, the information that Dutch users received when installing and using the app was only in English and therefore difficult to understand. By not offering its data protection declaration in Dutch, the numerous younger users in particular have not become sufficiently clear “how the app collects, processes and further uses personal data”. This is incompatible with data protection legislation.
The Dutch inspectors started their investigation last year because they were concerned that TikTok was not sufficiently protecting the privacy of the particularly protected group of children. At that time, the company had not yet registered its headquarters in the EU. Therefore, it was possible for supervisory authorities in all member states to scrutinize TikTok’s practices.
Missing age verification
In the meantime, the app provider has stated that it has permanently settled in Ireland. The Irish Data Protection Commission (DPC) is primarily responsible for him, although it is already considered to be very busy with many other internet giants such as Google, Facebook and Twitter in its area of responsibility. The AP was therefore only authorized to decide on the data protection declaration, as TikTok had now made improvements and the case was closed.
The further results of the investigation would now be transmitted to the DPC, announced AP Vice President Monique Verdier. It is then up to them to make a final judgment on all data breaches brought into play. A sensitive point remains, for example, that it is still possible for children to enter a higher age when registering, thus pretending to be older and taking more risks.
Mobbing und Cyber-Grooming
There are also people with bad intentions on TikTok, Verdier emphasized. “They use the recordings for unwanted dissemination, bullying or cyber-grooming”. TikTok promised and implemented various changes to make the app more secure for users under the age of 16. Parents can now manage the privacy settings of their children’s accounts from their own smartphones. But that is not enough. The Italian data protection authority had already ruled in January that TikTok is no longer allowed to process data from European users “whose age could not be determined with complete certainty”.
According to the AP, TikTok has appealed against the fine. The company points out that the data protection declaration and a particularly easy-to-understand, abbreviated version for younger users have been available in Dutch since July 2020. A total of 3.5 million mobile phone users in Holland have installed the app.
Insurer violates data protection several times
The French supervisory authority CNIL justifies her million fine for AG2R La Mondiale with itthat the group, which is mainly active in the area of old-age provision, pension and health insurance, “kept the data of millions of people for an excessively long period of time” and had not fulfilled information requirements for telephone marketing campaigns. The company has now stopped the criticized practices.
According to the CNIL, AG2R La Mondiale had not implemented any deletion periods in its customer databases. The group, which is very active in sports sponsorship, has stored some sensitive information from the health and finance sectors from more than two million customers beyond the end of the contract. In addition, data from almost 2000 interested parties had been archived, although they had not had any contact with the company for more than three to five years.
The CNIL also accuses the insurer of having recorded telephone calls from subcontractors without the person contacted having been informed about the principle of recording or about their right of objection within the meaning of the General Data Protection Regulation (GDPR). The French inspectors had previously sanctioned the retail giant Carrefour and the shoe shipping company Spartoo for similar violations.