TikTok received an official warning from Italy’s Data Protection Authority (DPA). TikTok no longer asks European users for permission to process personal data in targeted ads. The organization invoked a new basis for data processing, but the Italian privacy authority disputes its ground.
Illegal or not?
It’s common for large platforms to process the personal data of users in targeted ads. You’re more inclined to click on an advertisement when the product matches your interests. Organizations aren’t allowed to freely harvest personal data for targeted ads. The GDPR requires organizations to have a legal basis for processing.
The GDPR includes six different basises. ‘Consent’ is the most common. If you permit an organization to process your personal data for a purpose, the organization is legally allowed to process your data for the purpose in question.
Although TikTok asked European users for permission for years, the organization is keen on an alternative. Users who do not give permission generate less income. In order to process their data as well, TikTok adopted a new basis: ‘legitimate interests‘.
This basis is intended for organizations that can’t or can barely exist without processing personal data. While it’s not intented for organizations that seek to increase income, income is deemed valid under certain circumstances, like preventing bankruptcy.
TikTok recently adopted the basis to collect data without consent. The Italian privacy authority considers the basis invalid. If TikTok does not adjust its policy, the watchdog can intervene. In 2020, the Italian authority forced TikTok to block 500,000 Italian accounts.
Limited to Italy
The Italian watchdog cannot force TikTok to change its policy in other EU countries. TikTok’s European headquarters are located in Ireland. Only the Irish privacy authority can take measures that apply across Europe. At the moment, the Irish privacy authority has its hands full with two ongoing investigations into TikTok. The chances of a short-term follow-up are small.