On 1 March 2023, the Turkish Personal Data Protection Board (“Board”) announced that it had imposed an administrative monetary fine of TRY 1,750,000 against the TikTok Ptc. Ltd. (“TikTok”) on the grounds that TikTok did not apply adequate security measures. As a result of various news and complaints about the TikTok application that (i) TikTok does not obtain explicit consent in line with Turkish Personal Data Protection Law numbered 6698 (“Law”), (ii) there is unlawfulness when obtaining and for the retention of personal data, and (iii) there are many security flaws in software, the Board decided to initiate an ex officio investigation. Within the scope of the decision of the Board contained statements as below:
- Although it is stated that TikTok’s Privacy Policy was updated in January 2021, with the update (i) TikTok changed the privacy settings for the accounts of users aged 13–15 to “private” (ii) in this way, users can only display the videos posted by approved followers, and persons who can download and comment on videos are restricted; the fact that the profiles were displayed publicly by default before the update made in January 2021 and TikTok did not mitigate the risks related to users from sensitive age groups before the update,
- Before the update of the Privacy Policy in January 2021, the personal data of children under the age of 13 was displayed and collected without appropriate parental consent before the said update, so there is a risk that children may adversely affected due to such interactions,
- The Privacy Policy on the website of the TikTok did not provide clear information about which personal data was processed for what purpose and based on which legal basis, an in this respect, TikTok did not duly fulfil its obligation to inform and violated (i) principles of “processing personal data for specific, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purpose” stated in Article 4 of the Law,
- It is stated that if users create a TikTok account, they will be deemed to have accepted the Terms of Service and Privacy Policy, but the content was not presented to the users in an understandable format because the Terms of Service were not prepared in the Turkish language. For this reason, it is underlined that users were likely to accept the terms without fully understanding them,
- There is no situation regarding obtaining explicit consent when creating an account on the platform or when creating an account and actively using it, although TikTok’s Privacy Policy is essentially a text prepared to fulfil the obligation to inform, it is also used as the explicit consent. Thus, this violates the requirement that explicit consent is performed separately from the obligation to inform,
- TikTok did not obtain explicit consent from the users regarding the personal data processing activity carried out by using cookies for profiling purposes. As a result, such data processing activity violates Turkish data privacy law.
The Board instructed TikTok to:
- translate its Terms of Service into Turkish in one month,
- make its privacy policy comply with Turkish DP Law in three months, and
- fulfil its obligation to inform in line with the applicable legislation.
It is understood from the decision that the Board has adopted a stricter approach to children’s data, and that using the Turkish language in documents is preferable to ensure that data subjects can fully understand the data processing activities.