GDPR

Italian Privacy Authority considers "personalized" advertising based on legitimate interest unlawful and TikTok adapts

Last June, TikTok publicly announced that it would soon begin sending, to its users over 18 years of age, advertising based on behavioral profiling while browsing on the platform, without requesting consent from the data subjects, using the legal basis of the legitimate interest of the owner (i.e., Dublin-based TikTok Technology Limited itself).

In the measure adopted as a matter of urgency on July 7, the Privacy Guarantor had warned TikTok that such processing activity would be unlawful, not under the GDPR (European Privacy Regulation), but contrary to Article 5(3) of the e-privacy Directive (Directive on privacy and electronic communications) and Article 122 of the (Italian) Privacy Code. In fact, according to the Garante, the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user expressly requires as a legal basis the exclusive consent of the same.

In the notice, the Privacy Guarantor, in light of the inability of TikTok (and other social networks) to identify those of legal age, had highlighted the risk that advertising could also reach minors.

The violation of the ePrivacy Directive allowed the Garante to take direct and urgent action against TikTok, outside of the international cooperation procedure under the GDPR. At the same time, however, the Authority had informed the Data Protection Commission of Ireland (the Irish Privacy Authority), the country where TikTok has its main establishment, and the European Data Protection Board.

TikTok currently indicates in its privacy policy (viewed on September 13) that personalized advertisements based on user activity on and off the platform will be shown with user consent (https://bit.ly/3xkqC5e).

TikTok, responsibly, has therefore deferred personalized advertising based on legitimate interest.

A FEW FACTS YOU NEED TO KNOW ABOUT THE GDPR

GDPR-cropped.jpg

As many may know, starting from 25 May 2018, the 2016/679 EU Regulation, known as GDPR (General Data Protection Regulation) - relating to the protection perosnal data will be directly applicable in all Member States.

 

 

 

 

In a nutshell, the GDPR:

  • introduces clearer rules on information and consent;
  • defines the limits to the automated processing of personal data;
  • lays the foundation for the exercise of new rights;
  • establishes strict criteria for the transfer of these outside the EU;
  • sets strict rules for data breach cases.

Theses rules also apply to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, will therefore have to respect the new rules. Companies and institutions will have more responsibility and case of non-compliance with the rules risk heavy penalties.

The "One Stop Shop"

To solve any difficulties, the "one stop shop" rule has been introduced, which will simplify the management of treatments and guarantee a uniform approach. Companies operating in several EU countries may contact the Privacy Guarantor of the country where they have their headquarters.

Data portability

The regulation introduces the right to "portability" of personal data to transfer them from one data controller to another. The rule is an exception in cases where the data are contained in archives of public interest, such as the registry offices. In this case, the right can not be exercised, as is the transfer of personal data to non-EU countries or international organizations that do not meet the security standards for protection.

The principle of "accountability"

There are other important elements of novelty. In fact, the accountability of the data controllers (accountability) has been introduced and an approach that takes into greater consideration the risks that a particular processing of personal data may entail for the rights and freedoms of the interested parties. This new right will facilitate the transition from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.

Data breach

The data controller must report any violation of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at EU level. The current approach has numerous flaws that need to be corrected. It is not simple but it is necessary to do so in order not to lose the opportunity provided by the GDPR. The first fulfillment to be put in place for Italian companies is certainly the adoption of the Register of processing of personal data, but even before the bureaucratic queries, the company must understand the importance and value of the data, as well as the huge economic damage due to a loss of information If the data breach poses a threat to people's rights and freedoms:

The owner must inform all interested parties in a clear, simple and immediate manner and offer indications on how he intends to limit the damages;

You may decide not to inform interested parties if you believe that the violation does not pose a high risk for their rights or if they demonstrate that they have already taken security measures; or, finally, in the eventuality in which to inform the interested ones could involve a disproportionate effort to the risk. In this last case it will have to provide with a public communication;

The Guarantor Authority may in any case require the data controller to inform the data subjects on the basis of an assessment of the risks related to the violation committed.

The figure of the DPO (Data Protection Officer)

It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) was set up, responsible for ensuring the correct management of personal data in companies and institutions and identified according to professional qualities and specialized knowledge of the legislation and data protection practice.

The Data Protection Office reports directly to the company’s summit and is independent, as it does not receive instructions regarding the execution of the tasks.

In reality there are still too many doubts on the figure of the DPO is. It is a relevant figure, but certainly it is not the "center" of the system established by the GDPR, which in the new system is always the Data Controller. The DPO must have a specific competence "of the regulations and practices concerning personal data as well as the administrative rules and procedures that characterize the sector". It is no less important, however, that it also has "professional qualities appropriate to the complexity of the task to be performed" and, especially with reference to sensitive sectors such as health, can also demonstrate specific competences with respect to the types of treatment put in place to the holder. The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of data processing is equally important if we want to return to those affected that sovereignty over the circulation of their data.