Evaluation On Children’s Privacy Within the Scope of Türkiye’s, the United Kingdom’s and the Netherlands’ Authorities’ Decisions
Nowadays, with the widespread use of the internet, children's access to digital environments has also increased. However, this situation has also created some problems. Children, who are a more vulnerable group than adults, cannot foresee the consequences of sharing their personal data, are not aware of the risks, and do not know their legal rights and how to exercise them. Therefore, legislators have adopted certain rules to protect children's personal data as part of their positive obligations.
This article analyses the provisions adopted by the European Union and Türkiye for the protection of children's personal data in the context of the fines imposed on the social media platform TikTok.
- EUROPEAN UNION AND TURKISH LEGISLATION
The European Union's regulation on the protection of personal data is the General Data Protection Regulation (“GDPR”). GDPR has entered into force in 2016 and is covering all states of European Union and is in force in all these states.
Article 8 of the GDPR regulates the lawfulness of consent in case of processing the personal data of the child. According to the provision of the Article, in cases where the consent of the data subject is relied upon as a ground for compliance with the law, the consent is valid if the child is at least 16 years old. If the child is under the age of 16, the data processing activity can only be considered lawful if the consent is given or authorized by the person who has parental responsibility over the child.
Article 12 of the GDPR states that the notice to the data subject must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The fact that this notice is provided to the child is particularly emphasized in the article. As it can be understood from this emphasis in the article, GDPR states that the data controller should pay particular attention to notice to be provided to the child.
Regarding Türkiye's regulations on the protection of personal data, The Personal Data Protection Law does not contain any specific provision on children. However, in the TikTok decision, which will be examined in the next section, Turkish Personal Data Protection Board (“The Board”) draws attention to certain issues regarding obtaining explicit consent when processing children's personal data. Although any specific Articles about children has not yet entered into force, as The Board has evaluated the processing of children's personal data in its decision, organizations should review their practices in light of this decision.
- EVALUATION WITHIN THE FRAMEWORK OF THE NETHERLANDS’, THE UNITED KINGDOM’S AND TÜRKİYE’S DECISIONS
In this section, the decisions of the data protection authorities from (i) the Netherlands, (ii) the United Kingdom and (iii) Türkiye on TikTok will be briefly analyzed.
i. The Dutch Data Protection Authority (“The AP”) has fined TikTok € 750,000 for violating children’s privacy in its decision. According to the research cited in the decision, a large group of Dutch children under the age of 16 and estimated 830.000 children under the age of 18 use TikTok. It is also stated in the decision that TikTok is used more by children around the age of 12.
In response to TikTok's claim that there is no violation in the concrete case because the majority of Dutch people speak English, The AP stated that it cannot be taken for granted that the data subject children in the mentioned age group have a good command of English, and that this situation does not compensate the violation of Article 12 of the GDPR.
ii. From the United Kingdom, The Information Commissioner’s Office (“The ICO”) has fined TikTok £12,700,000 for multiple breaches of data protection law in the country, including failing to use children's personal data in accordance with the law. The ICO found that;
(a) the data of children under the age of 13 was processed without consent or authorization from their parents or carers,
(b) that data subjects were not provided with proper notice of how their data was collected, used and shared, and
(c) that their data was therefore not processed in a lawful, fair and transparent manner.
Within the scope of this decision, it is understood that in cases where personal data is processed based on the legal ground of consent, if the data subject is under the age of 13, the consent of his/her family or carer must be obtained, and the notice to the data subject must be provided in an easily understandable manner.
iii. In the decision given by the Turkish Data Privacy Authority (“The Board”), it was evaluated that the personal data of children under the age of 13 who use the application was displayed and data was collected about children without appropriate parental consent, the relevant text for notice was not translated into Turkish while obtaining approval in the Terms of Service section of TikTok, and since the content was not presented in an easily understandable form, it was possible that users may accept the terms without fully understanding them. In addition, children in this age group are characterised as a vulnerable age group by The Board.
According to the evaluations given above, although the Turkish Data Protection Law does not specify the terms for processing personal data of data subjects in the sensitive age group, in the decision in question, The Board found it risky to process the personal data of data subjects in the sensitive age group without the approval from their eligible parents. Moreover, the terms of service and notice must be provided in Turkish language to ensure that users in Türkiye easily understand these texts.
- PRINCIPLES TO BE ISSUED UNDER THE DECISIONS
Although the European Union regulation is an inclusive regulation, each country may regulate personal data in its domestic law. The United Kingdom’s, the Netherlands’ and Türkiye’s data protection authorities' decisions analyzed in this article are important as they have some commonalities despite being in different jurisdictions. Accordingly, common principles that may arise from these decisions and that may need to be considered by data controllers are;
1. Data controllers, whose services are also used by children, must show more sensitive approach when processing children’s personal data.
2. When processing the personal data of children in the age group specified in their legislation, data controllers must obtain the consent (or if needed the explicit consent) which is given or authorised by the person who has parental responsibility over the child.
3. Data controllers must provide notice texts in the language of the country in which they provide services. Providing the notices only in English violates the requirement to provide them in concise, transparent, intelligible and easily accessible form, using clear and plain language if the language of that country is not English.
4. Even if the obligations regarding consent and notice are met, data controllers may need to conduct risk analysis on children and take additional measures.
Kindly submitted for your information.
GÜNGÖR LAW FIRM