March 2023 – On 1 March 2023, the Turkish Personal Data Protection Board (“Board”) announced that it had imposed an administrative monetary fine of TRY 1,750,000 (approx. EUR 87,000) against the Chinese social media platform and short-form video hosting service TikTok on the grounds that TikTok did not apply adequate security measures.
Before the decision, what happened?
As a result of various complaints and news reports alleging that (i) there is unlawfulness when obtaining and for the retention of personal data, (ii) TikTok does not obtain explicit consent in line with Turkish DP Law, and (iii) there are many security flaws in TikTok's software, the Board initiated an ex officio investigation.
In its decision, the Board reviewed the privacy setting for children before the update made in January 2021. With the update, TikTok changed the privacy settings for the accounts of users aged 13–15 to "private" and as a result, users can only display the videos posted by approved followers, and persons who can download and comment on videos are restricted.
In addition to this, the Board also emphasised that the personal data of children under the age of 13 was displayed and collected without appropriate parental consent before the said update. In this respect, there is a risk that children may be adversely affected due to such interactions.
Language is important
The Board stated that (i) TikTok did not duly fulfil its obligation to inform and (ii) violated principles of "processing personal data for specific, explicit and legitimate purposes" and "being relevant, limited and proportionate to the purpose" since:
Cookies are on the board, too
The Board also determined that TikTok processes personal data by using cookies for profiling purposes, but explicit consent is not obtained from users. As a result, such data processing activity violates Turkish data privacy law.
What the Board concluded?
The Board finalised its investigation and imposed an administrative monetary fine of TRY 1,750,000 (approx. EUR 87,000) on TikTok, as TikTok did not take all necessary technical and organisational measures to ensure data security.
In addition, the Board instructed TikTok to:
It is understood from the decision that the Board has adopted a stricter approach to children's data, and that using the Turkish language in documents is preferable to ensure that data subjects can fully understand the data processing activities.
For more information please contact Ceren Ceyhan, Associate, at firstname.lastname@example.org, and Legal Interns Hatice Nur Arslan, at email@example.com, and Bahar Bozdemir, at firstname.lastname@example.org.