Italy warns TikTok over privacy policy switch

TikTok’s attempt to switch legal basis for targeting advertising at users in Europe looks to be in trouble after Italy’s data protection watchdog stepped in and issued a warning of legal inadequacy just days ahead of the planned privacy policy change.

The user-generated video sharing platform attracted attention from privacy experts last month when it quietly disclosed an incoming change to its T&Cs for users in the European Economic Area, the U.K. and Switzerland, which it said would apply from July 13 — to shift from relying on consent to process user data to run “personalized” ads to claiming a legal basis known as ‘legitimate interests’ and saying it would therefore stop asking users for their permission to be tracked for targeted ads.

Privacy experts quickly questioned whether the switch would pass muster with data protection regulators.

The answer — at least in Italy — appears to be no.

Writing in a press release announcing its “formal warning” to TikTok, the Italian authority — which said it “immediately” began a fact-finding exercise on hearing of TikTok’s planned privacy policy revision — has concluded that the planned switch of legal basis is incompatible with the EU directive and with the local data protection law that transposed the EU’s framework.

“Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’,” it warned.

Italy’s DPA has also raised concerns about the risks of TikTok targeting children if it goes ahead with the changes — given earlier concerns about whether it’s able to identify underage usage of its platform.

The Garante said it is acting under the EU’s ePrivacy Directive which covers tracking technologies and data processed on a terminal device.

The directive allows it to intervention at a national level — rather than having to refer concerns to Ireland’s data protection agency, which leads on complaints against TikTok that fall under the General Data Protection Regulation (GDPR) as a result of the regulation’s so-called “one-stop-shop” mechanism which is intended to simplify compliance for businesses (but which critics argue has allowed tech giants to evade accountability for privacy-hostile data processing via forum shopping).

Ireland’s Data Protection Commission (DPC) does have two open GDPR investigations into TikTok’s activities — which were launched back in September 2021 (including one focused on its processing of kids’ data) — but neither probe has resulted in any decisions, public warnings or orders as yet.

So the contrast with Italy’s regulator acting so swiftly in response to a concern looks marked.

As well as giving TikTok a formal warning today, Italy’s DPA also said it reserves the right to take additional measures, including an urgency procedure, if the platform “does not take a step back”.

The GDPR’s Article 66 allows for data protection regulators to circumvent the standard requirement to funnel concerns through a lead supervisor — and immediately adopt provisional measures nationally (which can last for three months) — if they are convinced there is an urgent need to act to protect the rights and freedoms of data subjects. So there is a mechanism the Garante could seek to use to act quickly under the GDPR, i.e. if TikTok does not back down over the privacy policy switch.

It has used this mechanism to step in before over urgent concerns attached to TikTok’s platform — warning over inadequate age checks back in 2020, for example, and then ordering TikTok to block users it could not age verify.

A few months after that TikTok purged over half a million accounts in Italy which it could not confirm did not belong to minors.

Now Italy’s data watchdog said it has a “special concern” over the platform switching to an inadequate legal basis in relation to the protection of registered child users too, warning: “[T]he difficulties currently encountered by TikTok in order to establish compliance with the age requirements to access the platform do not allow ruling out the risk that ‘personalised’ ads including unsuitable contents will be served to very young users based on the company’s legitimate interest.”

Hence it’s taken the step of issuing a formal warning to TikTok that processing user data on the basis of ‘legitimate interest’ would be “in conflict with the current regulatory framework, at least with regard to the information stored in users’ devices, and would entail all the relevant consequences also in terms of corrective measures and fines”, as it puts it.

While the EU’s GDPR allows for fines that can scale as high as 4% of total global turnover in the preceding year for confirmed breaches of the rules, the older ePrivacy Directive empowers Member States’ competent agencies to issue “effective, proportionate and dissuasive” penalties (which, in a few recent cases, has led to some notable fines for tech giants, some exceeding $100M, and even netted some notable policy rethinks — so enforcement of EU privacy regulation is certainly having an impact, even if far more is needed).

“The finding of an infringement of the ePrivacy directive allowed the Italian SA to step in directly and urgently regarding TikTok, outside the cooperation procedure as set out in the GPDR which would have required the Irish Data Protection Commission to lead the proceeding — since TikTok placed its main EU establishment in Ireland,” the Garante explains in its press release, before saying it does not believe TikTok’s planned privacy policy change would be legal under GDPR either — adding that it’s therefore also informed both the Irish DPC and the European Data Protection Board (EDPB) “in order for them to consider further action”.

It’s not clear what further action might result.

The DPC could decide to open a fresh enquiry (assuming TikTok doesn’t abandon its plan) — although the timeframes involved in the Irish regulator’s cross-border/big tech case work to date suggest it could be years before it would arrive at a decision and any enforcement.

The EDPB could, therefore, have an important role to play — if the Italian watchdog decides to go ahead with an Article 66 GDPR urgency procedure and asks it to step in and adopt final measures against TikTok.

While the Board declined such a request from the Hamburg DPA, regarding a complaint against WhatsApp-Facebook data-sharing, last year it did order the DPC to “swiftly” investigate. And, a few months later, there was a final decision from the Irish regulator in a long running transparency enquiry into WhatsApp which resulted in a $267 million fine. (Although the link between the Board’s order and the DPC’s concluding that ‘own volition’ probe is not entirely clear-cut.)

TikTok and the Irish DPC was contacted for comment on the Garante‘s latest intervention.

Update: A TikTok spokesperson has now sent this statement:

“At TikTok, we strive to build a personalized experience for our community, and at the same time we are committed to respecting the privacy of our users, being transparent about our privacy practices, and operating in compliance with all relevant regulations. While our evaluation of the Italian Data Protection Agency’s recent notice is still ongoing, we cannot comment further.”

In recent years, the video sharing platform has also faced regional scrutiny from consumer protection regulators. Concerns were raised back in February 2021 by a number of agencies — including around child safety and marketing. Those coordinated consumer protection complaints led to a ‘formal dialogue’ led by the European Commission and, just last month, regulators accepted a set of commitments from TikTok to tweak its ad disclosures (with no penalties issued at that point).

However privacy concerns about TikTok’s profiling of users were not resolved as part of the consumer protection action — which may also explain why Italy’s DPA has decided to make its own intervention now.

Update 2: The DPC has also now sent a statement declining to comment on the Garante‘s assessment that TikTok’s planned switch to a legitimate interest ground violates the local implementation of the ePrivacy Directive.

It said its own two open inquiry’s into TikTok are “well advanced” — suggesting the probe of its processing of children’s data will reach the draft decision phase and be sent to other EU DPAs for review next month.

Here’s the full statement:

“The DPC notes that the Garante considers TikTok’s proposed reliance on legitimate interests violates the Italian transposition of the e-privacy directive. The DPC cannot comment on whether that is the case.

“In terms of the GDPR compliance of the changes TikTok has announced, the DPC sought detailed information from TikTok on the changes announced which it immediately consulted all other EU data protection supervisory authorities on and while it is also completing its own analysis. To date, the DPC has received no response from other EU SAs other than the comment in the press release issued by the Garante. The DPC will complete its analysis shortly.

The DPC has two investigations into TikTok well advanced. The DPC opened an inquiry examining TikTok’s transfers to China last September. This inquiry is ongoing with the Statement of Issues sent to TikTok on the 7th of July. We are currently awaiting their submissions.”

In addition, we also have another inquiry open into TikTok in terms of their processing of children’s data (also opened last September) and we expect to bring a draft decision in this inquiry to our fellow EU Data Protection Authorities next month.