March 2023– On 1 March 2023, the Turkish Personal Data Protection Board ("Board") announced that it had imposed an administrative monetary fine of TRY 1,750,000 (approx. EUR 87,000) against the Chinese social media platform and short-form video hosting service TikTok on the grounds that TikTok did not apply adequate security measures.

Before the decision, what happened?

As a result of various complaints and news reports alleging that (i) there is unlawfulness when obtaining and for the retention of personal data, (ii) TikTok does not obtain explicit consent in line with Turkish DP Law, and (iii) there are many security flaws in TikTok's software, the Board initiated an ex officio investigation.

Most importantly, in its decision the Board highlights the update made to TikTok's privacy policy in January 2021 that may impact the privacy of children's data.

Children first!

In its decision, the Board reviewed the privacy setting for children before the update made in January 2021. With the update, TikTok changed the privacy settings for the accounts of users aged 13–15 to "private" and as a result, users can only display the videos posted by approved followers, and persons who can download and comment on videos are restricted.

In its decision the Board highlights the privacy policy of TikTok before January 2021 and concludes that TikTok did not mitigate the risks related to users from sensitive age groups before the update.

In addition to this, the Board also emphasised that the personal data of children under the age of 13 was displayed and collected without appropriate parental consent before the said update. In this respect, there is a risk that children may be adversely affected due to such interactions.

Language is important

The Board stated that (i) TikTok did not duly fulfil its obligation to inform and (ii) violated principles of "processing personal data for specific, explicit and legitimate purposes" and "being relevant, limited and proportionate to the purpose" since:

  • The privacy policy on the website did not provide clear information about which personal data was processed for what purpose and based on which legal basis.
  • The content was not presented to the users in an understandable format because the Terms of Service were not prepared in the Turkish language. For this reason, it is underlined that users were likely to accept the terms without fully understanding them.
  • Although TikTok's privacy policy is essentially a text prepared to fulfil the obligation to inform, it is also used as the explicit consent letter. Thus, this violates the requirement that explicit consent is performed separately from the obligation to inform.

Cookies are on the board, too

The Board also determined that TikTok processes personal data by using cookies for profiling purposes, but explicit consent is not obtained from users. As a result, such data processing activity violates Turkish data privacy law.

What the Board concluded?

The Board finalised its investigation and imposed an administrative monetary fine of TRY 1,750,000 (approx. EUR 87,000) on TikTok, as TikTok did not take all necessary technical and organisational measures to ensure data security.

In addition, the Board instructed TikTok to:

  • translate its Terms of Service into Turkish in one month,
  • make its privacy policy comply with Turkish DP Law in three months, and
  • fulfil its obligation to inform in line with the applicable legislation.

It is understood from the decision that the Board has adopted a stricter approach to children's data, and that using the Turkish language in documents is preferable to ensure that data subjects can fully understand the data processing activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.