The Italian data protection authority ('Garante') issued, on 7 July 2022, its Decision No. 248, in which it imposed an urgent warning against TikTok Italy S.r.l. and TikTok Technology Limited, for envisaged violations of Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and Article 122 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR') ('the Code'), following a press release on the issuance of the warning in question.

Background to the decision

In particular, the Garante reported that it had started an investigation following TikTok's announcement, in June 2022, relating to forthcoming changes in its privacy policy. Specifically, the Garante explained that TikTok had communicated to the users, also through specific messages, the intention to start, from 13 July 2022, targeting users, above 18 years of age, with personalised ads, based on profiling behaviours on the platform. Additionally, the Garante pointed out that, according to the new privacy policy, such processing of personal data would be based on the legitimate interests of TikTok, its advertising partners, and its users, pursuant to Article 6(1)(f) of the GDPR, rather than on the consent of the data subjects.

Thereafter, the Garante stated that it had requested TikTok Italy to provide further information, including on the reasons underlying the choice to rely on legitimate interest as a legal basis. Further to this, the Garante noted that TikTok Italy had clarified, among other things, that the processing activities in relation to targeting users with personalised ads would involve both data obtained from activities on TikTok (i.e. information collected directly from the users' actions on the platform) and data derived from activities outside TikTok (i.e. information received from external partners operating in the advertising, measurement, and data sectors, obtained from the users' activity carried out outside the platform).

Findings of the Garante

Further to the above, the Garante determined that, despite what TikTok had communicated, it was evident from the version of the privacy policy due to come into force on 13 July 2022, that TikTok, among others, had intended to use automatically collected information, namely information on the users' device, including the operating system, typing patterns, IP address, and information on a user's location. Separately, the Garante also highlighted that, according to the same privacy policy, TikTok uses cookies and similar tracking technologies, including for marketing purposes.

As such, the Garante held that, on the basis of Article 5(3) of the ePrivacy Directive and Article 122 of the Code, TikTok's planned activity of targeting users with personalised ads, through profiling of their behaviour within the platform, cannot be based on legitimate interest, at least to the extent to which such activities are based, as expressly mentioned in TikTok's privacy policy, on automatically collected information and on information stored on the users' device. Therefore, the Garante concluded that the processing of the users' personal data which Tik Tok intends to undertake from 13 July 2022 will likely breach Article 5(3) of the ePrivacy Directive and Article 122 of the Code.

Separately, the Garante pointed out that, based on the abovementioned elements, TikTok's processing activities also present several critical profiles under the GDPR, which are being investigated by the Garante. On this point, the Garante further confirmed that it had informed the European Data Protection Board ('EDPB') and the Data Protection Commission ('DPC') of its decision, and advised that the same should consider taking urgent action within the framework of the cooperation procedures under the GDPR.

Outcomes

In conclusion, the Garante issued a warning against TikTok Italy and TikTok Technology and highlighted that, should the same proceed with the processing activities described above from 13 July 2022, the Garante reserves the right to take further action, including imposing sanctions. Lastly, the Garante noted that TikTok Italy and TikTok Technology may lodge an appeal against the decision before the ordinary judicial authority.

You can read the decision, only available in Italian, here.

UPDATE (14 July 2022)

Italy: Garante confirms TikTok suspending planned switch to legitimate interest as legal basis for ads

The Garante announced, on 13 July 2022, that, following its warning, TikTok had suspended the switch to legitimate interest as the legal basis for personalised advertising for people over the age of 18 based on the profiling of behaviour when browsing on the platform. Specifically, the Garante acknowledged TikTok's decision as responsible and declared itself open to a dialogue aimed at finding a balance between economic interests and users' rights.

You can read the press release, only available in Italian, here.

UPDATE (18 July 2022)

EDPB publishes English summary of Garante's decision to warn TikTok

The European Data Protection Board ('EDPB') published, on 15 July 2022, an English summary of the warning imposed by the Garante against TikTok in relation to personalised ads based on legitimate interest.

You can read the summary here.