TikTok and WhatsApp Faced with GDPR Fines

TikTok is the social media platform that has weaved its way into our society and engrained itself into the minds of our children. The video content app that allows its users to record videos of up to 3 minutes long, using different audios and effects has grown in popularity exponentially over the pandemic. In 2020, TikTok was one of the most downloaded apps available to users. Parents and teachers alike will be familiar with the ever changing references and trends that children are obsessing over when it comes to their new online fixation. However, the App has recently encountered an administrative fine under the GDPR for not adhering to their obligations to  users.


During July 2021, the Dutch Data Protection Authority (DPA) announced that it had evaluated and imposed a fine of EU750,000 to TikTok on the basis of a lack of transparency in their privacy policy. The App did not offer a Dutch translation of their privacy policy for their Dutch speaking users, meaning that there was no way for them to understand the ways in which their personal data was being processed by the App. Transparency must be inclusive, allowing everyone to be informed on how their data will be collected, shared, and stored. By not presenting how the users’ data will be processed in a way that is comprehensible, TikTok was subject to a fine. 


One of the individual rights under the European GDPR is the right to be informed, transparency falls under this. When obtaining consent from a data subject, there should be clear, understandable and unambiguous information on the ways in which the user’s data will be collected, shared and stored. If a company’s privacy policy does not adhere to this standard then the consent that the data subject gives is not valid under GDPR provisions. It is important for businesses and schools to understand that they have an obligation to their data subjects in ensuring that the ways in which data is processed is clearly laid out in their privacy policy. By implementing an open and unambiguous privacy policy in your school, you will be able to steer clear of administrative fines from supervisory authorities. 


The language used when discussing the ways in which user data is processed was also not simplified in a way that allows younger users to understand the terms of the policy. The DPA noted that even if the users were able to understand the English language, the privacy policy and pop-ups on the App were not comprehensible for children that are using the App, thus providing less transparency within TikTok’s policies. 


Should the lack of transparency make people weary in allowing our children and students to use the App in the future? Are their rights and freedoms at stake? Some individuals may feel TikTok is just as safe as any other social media platform that teenagers and young adults are already using. There is inevitable risk when using any social media platform, particularly when the platform involves cross-border data transfers, algorithmic processes and more. However, as long as these risks are presented to users in a clear and transparent manner,  individuals will be able to decide whether the benefits of the App outweigh the risk that is posed to them.

For all of the latest privacy and cyber trends, download our Education Privacy and Technology Magazine!

          Read it Here!


TikTok isn’t the only platform that has recently been subject to GDPR fines. WhatsApp, the Facebook-owned, end-to-end encrypted messaging service has recently encountered the second largest fine ever to be administered under the GDPR. This came after continuous complaints in 2018, regarding the platform’s transparency and how they provide information about the way they process the data that they collect from users. 


WhatsApp was fined for failing to explain how it processed individuals’ data, including how it was shared between WhatsApp and other Facebook companies. The fine amounted to EU 225 million, the violation of GDPR requirements comes from the fact that their privacy policy was not unambiguous. There should be no blurred lines when it comes to a privacy policy, as the user’s consent is only valid if they fully understand  how their data will be processed. If not, then the company may not be processing data in an appropriate, or lawful manner. 


Ireland’s Data Protection Commission, who had been investigating the case since the original complaints back in 2018, have been a powerhouse authority for scoping out negligence of GDPR responsibilities. The investigation against WhatsApp was what is known as an ‘own volition’ enquiry. This means that the regulator selected the parameters of the investigation, choosing to hone in on WhatsApp’s transparency obligations.


The 9ine Privacy Academy

The 9ine Privacy Academy is for data protection professionals that feel they are lacking applicable training. In partaking in our program, which is specific for the education sector, up to five members of your team will be given informative and felicitous resources to ensure that they are able to implement the correct procedures to advance your privacy programme. With sessions focussing on privacy policies, and information rights & ethics, your school will be able to achieve compliance and make sure that no fines are administered for lack of transparency, just as they were for TikTok and WhatsApp. 

View the Academy Schedules


If you would like to know more about how 9ine’s services can help you with social media usage and data protection, you can talk to one of our consultants directly.

Book a Consultation

Let’s Stay in Touch

Subscribe to our newsletter to receive product announcements & other updates.