TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Children’s Code - transitionary period

Children’s Code transitionary period ends in less than 6 months

The children’s code transitionary period, which saw its inception on 2nd September 2020, ends in less than 6 months. All online services are expected to be in compliance with this code by September 2021. 

Last year, we reported that the Children’s Code, then known as the Age Appropriate Design Code was about to come into effect on September 2, 2020. Since then, we have been in a transitionary period during which all online services are expected to come into compliance with this code. The ICO has just released a statement urging businesses to ensure that they are in full compliance by the end of this transitionary period, in less than 6 months. 

This code is a statutory code of practice laying out 15 standards which are aimed at ensuring children’s best interest online.

The Children’sCode lays out 15 standards to ensure that children’s best interest is at the forefront. These standards include principles governing the best interest of the child, data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimization, data sharing, geolocation, parental controls, profiling, knowledge techniques, connected toys and devices, and online tools. During this transitionary period, online services are expected to take steps to bring their services into full compliance with this code, ensuring that all principles are considered and that their services support the rights of the child.

This code applies to any online product or service likely to be accessed by children and is not limited to only those aimed at children.

This code will apply to every online service that is likely to be accessed by children. This means that not only are services made for children expected to come into compliance but every service that may be accessed by children will need to as well. Online services may take a risk based approach to recognizing the age of their individual uses to ensure that the standards in this code will be applied to child users. Unless the age of the individual users can be established with a level of certainty, this code should be applied to all users on the platform.

The ICO has launched initiatives to detect businesses’ readiness for compliance with this code, as well as educating and sensitizing on the topic of the children’s  code. 

The ICO recently conducted a survey to gauge general understanding of the age-appropriate design code. Some 500 services were part of this survey from which findings show, so far, that about 75% of businesses are aware of this code. The ICO has set up what is called the Children’s Code hub with a range of resources for organizations to understand the code and to know whether they are in the scope of it. The regulator has also been holding webinars and will also be hosting a workshop at the Festival of UX and Design 2021 to help raise awareness within the design community and explain how this code can be applied to innovative projects. The ICO has also launched a call for transparency champions which will consist of organizations, designing projects using privacy information in a way that is tailored to children’s understanding. 

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Aphaia provides GDPR adaptation consultancy services and CCPA compliance, including EU AI Ethics assessments. Contact us today.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.


A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.


The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.


The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.


The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.


Through the data broking investigation, the ICO uncovered several data protection failures at each company. 


Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 


These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 


While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.


All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 


While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.


Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.


The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

coronavirus pandemic and data protection

The Coronavirus Pandemic and Data Protection.

The Coronavirus (COVID-19) Pandemic and Data Protection: Guidelines for employers regarding privacy laws during the pandemic.

With recent developments in the global arena, the outbreak of the corona virus has led to many changes in the workplace. Numerous employees have taken to working from home with the new push for social distancing and self quarantining. There has been lots of concern over who may or may not be infected by, or have definitely been exposed to the virus or may have visited a country with severe outbreaks. The sharing of information has become critical as medical and other professionals recognize the need for disclosure for the sake of the health of the general public.

The ICO recently released a statement regarding data protection during the coronavirus (COVID-19) pandemic in which the organization expressed an understanding of the fact that businesses will need to adapt the way that they work. While there will be understandable delays where individuals or businesses make information rights requests during this pandemic, the ICO is unable to extend the statutory timescales. However, the ICO maintains that they will not penalise organisations who need to prioritise other aspects of their business over the usual compliance and information governance.

Employee Health and Data Protection.

For the duration of this global pandemic, office staff should be informed about any cases of the virus within the organisation. Names do not need to be disclosed, however because businesses do have an obligation to ensure the health and safety of their employees, data protection does allow them to divulge information on confirmed cases within the organisation.

It is not necessary to collect loads of information on employees’ health, however it is reasonable to stay informed on their travel history, or whether they are presenting symptoms of the virus. It is important, if there is a need to collect specific health data, that businesses only collect data that is necessary and treat that data with the appropriate safeguards. In the context of an epidemic, employers and relevant health officials do not need consent to process this data, especially when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

In a recent statement, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

If it is not possible to process exclusively anonymous data, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures for the sake of national and public security. This emergency legislation is allowed under the condition that, within a democratic society, it forms part of a necessary, appropriate and proportionate measure, given the circumstances. If these measures are introduced, the Member State will need to apply adequate safeguards, like granting individuals the right to judicial remedy.

Communication of Vital Information by Authorities and the GDPR

During this time of pandemic the government, the NHS or any other health professionals may also need to send health messages to the general public either by phone, text or email. These messages are not considered direct marketing or advertising and therefore are not hindered by data protection laws.

Remote workers and Data Protection.

With more people working from home or working remotely due to the pandemic, the ICO reminds businesses that the same type of security measures must be in place for people who are working remotely as is the case for workers in a normal office setting. Employees may use their own computers and other devices, however, with security measures maintained, data protection does not hinder employees who need to work from home.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.