TikTok – Violation Found (Italy, 2021)

On the 22nd of January 2021 the Garante issued a first decision imposing the limitation of TikTok's processing of personal data related to users under the age of 13. On the 11th of February 2021, the Garante issued a [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9554603 second decision] renewing such limitation. In the decision, the Garante presents some findings of its report on the compliance of TikTok with the notification received from the Garante itself. First, according to the authority, the self-certification mechanism implemented by TikTok to verify the age of its users is not sufficient to “significantly limiting the number of users under the age of 13”. Secondly, the message delivered to the media by TikTok did not have the “necessary elements of urgency and alarm” to raise awareness concerning parental liability. Moreover, the additional measures adopted by the social network – such as implementing a new reporting system, increasing the number of Italian moderators and the monitoring of users activities – did not bring any result, according to the Italian DPA. The Garante was also not satisfied with the deposition presented by TikTok. According to the Supervisory Authority, “an agreement whereby a minor user consents to the processing of his or her personal data in connection with the use of an information society service cannot be considered, under Italian law on the validity of contracts, an "atto comune" (literally “common act”), with the result that the relevant contract cannot be considered validly concluded”. Moreover, the information provided as per Article 13 GDPR were not compliant with the requirements of Article 12 GDPR in light of the fact that TikTok services are factually intended for minors. Finally, the age verification mechanisms did not respect the privacy by design principle. According to the Garante, these findings confirm the unlawful nature of the data processing, and the persistence of the risks for