TikTok warned against the personalised advertisements based on legitimate interest
The Italian supervisory authority, through an urgent decision adopted on the 7th of July, warned the platform that the personal data stored in users’ devices may not be used to profile those users and send personalised ads without their explicit consent.
Following to the information made available by the company, it drew the conclusion that the change in legal basis was incompatible with EU directive 2002/58 (“e-Privacy”), as well as with Section 122 of the Italian personal data protection law which transposed that directive. Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.
In addition to the inadequate legal basis, an issue was of special concern to the Italian supervisory authority as related to the protection of child users that are registered with the platform. The difficulties currently encountered by TikTok to establish compliance with the age requirements to access the platform do not allow ruling out the risk that personalised ads including unsuitable contents will be served to young users based on the company’s legitimate interest.
Therefore, the supervisory authority relied on the powers conferred on it by the GDPR and sent a formal warning to TikTok that processing data based on its legitimate interest would be against the current regulatory framework, at least regarding the information stored in users’ devices and would entail all the relevant consequences also in terms of corrective measures and fines.
The supervisory authority reserved its right to take additional measures, including urgent measures, if TikTok does not take a step back.
The finding of an infringement of the e-Privacy directive allowed to step in directly and urgently regarding TikTok, outside the cooperation procedure as set out in the GPDR which would have required the Irish Data Protection Commission to lead the proceeding – since TikTok placed its main EU establishment in Ireland.
At all events, relying on the controller’s legitimate interest to process information which is not stored in users’ devices does not appear to be in line with the GDPR – either. Therefore, the supervisory authority informed the European Data Protection Board (EDPB) and the Irish Data Protection Commission of its decision for them to consider further action.
Italian supervisory authority bans use of Google Analytics: no adequate safeguards for data transfers to the USA
A website using Google Analytics without the safeguards set out in the GDPR infringes data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
The authority came to this conclusion after a complex fact-finding exercise started in close coordination with other EU data protection authorities following the complaints received. The Italian supervisory authority found that the website operators using Google Analytics collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The diversified set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date, and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian supervisory authority reiterated that an IP address is a personal data and would not be anonymised even if it were shortened – given Google’s capabilities to enrich such data through additional information it holds.
Based on the above findings, the supervisory authority adopted a decision, to be followed by additional ones, reprimanding Caffeina Media S.r.l. – a website operator – and ordering it to bring the processing into compliance with the GDPR by n. 90 (ninety) days. This deadline was regarded as appropriate to allow the operator to implement adequate measures in connection with the data transfer; if this is found not to be the case, suspension of the GA-related data flows to the USA will be ordered.
The Italian supervisory authority highlighted, in particular, that US-based governmental and intelligence agencies may access the personal data being transferred without the required safeguards; it pointed out in this regard that the measures adopted by Google to supplement the data transfer instruments did not ensure an adequate level of protection for users’ personal data in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021.
Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the GDPR, including by way of ad-hoc inspections.
Public consultation on administrative fines
Last 27th June it was the deadline to submit comments to the Guidelines 04/2022 on the calculation of administrative fines under the GDPR. The European Data Protection Board (EDPB)’s proposal highlights five parts of the methodology:
1. concurrent infringements, unity of action and plurality of actions
2. starting point for calculation
3. aggravating and mitigating circumstances
4. legal maximum
5. effectiveness, dissuasiveness, proportionality.
The last version of the guidelines will be released at the end of the public consultation, considering the comments submitted by the stakeholders to uniform the application of the fines in the whole Europe.
To learn more, contact me.