The TikTok case in Italy and children’s data protection

In December, the case of the death of a child in Italy has opened a wider scenario on the use of TikTok by minors.

The so-called "Blackout Challenge" has taken hold between teenagers on their social network profiles. Participants challenge themselves in extreme scenarios by recording their actions and sharing them with other users.

This time, the life of a ten-years-old Italian girl lost to death while challenging her endurance against a belt.

The incident has raised the willingness of the Italian Data Protection Authority (Garante Italiano per la Protezione dei Dati Personali) to intervene. On 22 January 2021, the Authority has ordered TikTok the immediate blocking of the use of data of users whose age has not been certainly ascertained, until 15 February 2021.

The blocking measure will be brought to the attention of the Irish Authority, given that TikTok has recently announced that it has set up its establishment in Ireland.

Previously the Authority had already contested to the social network the lack of attention to the protection of minors, easy circumvention of the platform's ban on registration for minors under 13 years of age; lack of transparency and clarity in the information provided to users; use of default settings, which do not comply to privacy regulations.

The main issues, according to the European General Data Protection Regulation and Italian regulations on data protection matters could be explained as follows:

• Inadequate protection of minors at registration: Article 2-quinquies, para.1 of Italian Privacy Code, updated by Italian Legislative Decree 101/2018 provides that, as per Article 8 GDPR, the minor who has reached the age of fourteen years may express consent to the processing of their personal data in relation to the direct offer of information society services. With respect to such services, the processing of personal data of a child under the age of fourteen, based on Article 6(1)(a) of the Regulation, is lawful only if it is carried out by the person exercising parental responsibility. TikTok formally allows the registration of children under thirteen years old, but this prohibition could be easily circumvented by introducing a false date of birth, which is not verified. Moreover, there is no tool that allows the parent or guardian of the child to be possibly asked and express their consent to the registration of the child to the social network. The social network, therefore, does not seem to adequately prevent the uncontrolled entry of children within the platform.
• Lack of transparency on privacy notice: Article 2-quinquies, para.2 of Italian Privacy Code requires also that the Data Controller shall draw up the information and communications relating to the personal data processing concerning the minor in a language which shall be particularly clear and simple, concise, and exhaustive, easily accessible, and understandable by the child- in order to make the consent given by the minor significant. Also, data retention period and data transfers outside the European Union is not clearly specified. On this regard, the Authority denounces how the information of TikTok is "standardized and does not take into specific consideration the situation of minors".
• Default public profile. The social network, during the creation of the profile, pre-sets it as "public", giving by default maximum visibility to the contents of minors.

Such issues had been already tested by Musical.ly, which was later acquired and incorporated into TikTok: in 2019 the US Federal Trade Commission said Musical.ly knowingly hosted content published by underage users.

As a response, the company accepted to pay $5.7mln and implement new measures to handle the access to users under the age of 13.

Indeed, the American Children's Online Privacy Protection Act, or COPPA, forbids social media companies from collecting the data of children without explicit parental consent.

Failure to obtain that consent has constituted violation of the law and opened the company up to lawsuits from the Federal Trade Commission.

It might be the same outcome in Italy and Europe, where the Charter of Fundamental Rights of the European Union establishes the prevalence of minors' interests, and therefore of their protection, in all acts concerning them, whether they are carried out by public authorities or private institutions. And so is their privacy.