EU: EDPB releases binding decision on DPC's TikTok case
The European Data Protection Board (EDPB) released, on September 15, 2023, its Binding Decision 2/2023, as adopted on August 2, 2023, in accordance with Article 65(1)(a) of the General Data Protection Regulation (GDPR), on the dispute arising on the draft decision of the Data Protection Commission (DPC) regarding TikTok Technology Limited, and the subsequent objections expressed by other data protection authorities. In particular, the binding decision relates to the processing of personal data of registered TikTok platform users who are aged between 13 and 17 years old, in connection to certain design practices, as well as certain issues relating to children under the age of 13.
In particular, compared to the findings of the draft decision of the DPC:
- regarding the possible additional infringement of Article 5(1)(a) of the GDPR, the EDPB found that TikTok had infringed the principle of fairness in the context of the registration pop-up and the video posting pop-up practices;
- in relation to the possible infringement of Article 25 of the GDPR, the EDPB expressed serious doubts regarding the effectiveness of the age verification measures put in place by TikTok, however, it ultimately considered that it lacked sufficient information to conclusively assess TikTok's compliance with Article 25(1) of the GDPR; and
- on corrective measures, the EDPB instructed the DPC to expand the compliance order envisaged in its draft decision and to include in its final decision an order to TikTok to bring its processing in the context of the registration pop-up and the video posting pop-up into compliance with the principle of fairness.
Further to the binding decision, the DPC adopted its final decision on September 1, 2023, where it fined TikTok €345 million.
You can read the binding decision here.
Update: September 20, 2023
LfDI Baden-Württemberg welcomes EDPB's binding decision
The Baden-Württemberg data protection authority (LfDI Baden-Württemberg) released, on September 19, 2023, a statement welcoming the EDPB's binding decision. In particular, the State Commissioner, Prof. Dr. Tobias Keber, noted that the design of interfaces of digital services can be manipulative, inducing users into behaviors that can harm them. In this regard, Keber highlighted that those responsible for digital services should not mislead users and should instead implement Data Protection by Design and by Default settings. Lastly, Keber stated that in the future, the LfDI Baden-Württemberg will increasingly check whether digital service providers comply with the EU legal requirements of Data Protection by Design and by Default principles.
You can read the statement, only available in German, here.
Update: November 22, 2023
TikTok brings action before CJEU to annul EDPB binding decision
On November 20, 2023, the action brought on October 10, 2023, by TikTok before the Court of Justice of the European Union (CJEU) requesting the annulment of the EDPB's binding decision was published in the Official Journal of the EU. In particular, the action notes that TikTok relied on four pleas in law, alleging that:
- the EDPB exceeded its competence under Article 65(1)(a) of the GDPR;
- the EDPB infringed TikTok's rights under Article 41 of the Charter of Fundamental Rights of the European Union (Charter);
- the EDPB erred in law in finding that the Account Information Pop-Up and First Post Pop-Up infringed Article 5(1)(a) of the GDPR; and
- the procedure under Article 65(1)(a) of the GDPR is incompatible with Articles 41, 47, and 48 of the Charter and with the Meroni principles and must be declared unlawful and invalid.
You can read the action here.