The Turkish Personal Data Protection Authority (the “Turkish DPA”) published, on 1 March 2023, a summary of its Decision No. 2023/134 concerning the investigation into TikTok over its data protection measures and imposed a fine of TRY 1,750,000 (approximately EUR 87,500) against the company.
The decision of the Turkish DPA is very significant especially for service providers also targeting Turkish residents and children in Turkey. Also the Turkish DPA is not the first authority that has issued fine against TikTok as TikTok has been on the agenda of the data protection authorities around the world.
Findings of the Turkish DPA
As a result of various complaints and news about the claims that there is unlawfulness within the scope of obtaining and storing of personal data, there are many security flaws in TikTok's software, and the user’s explicit consent was not duly obtained, Turkish DPA initiated an ex officio investigation.
The Turkish DPA found that TikTok failed to adopt measures to ensure an appropriate level of security over the data it collected in order to prevent the unlawful processing of personal data.
This is important because it is the first time we see in a decision in Turkey, stating that individuals who are 13-15 years old are at sensitive ages and additional measures should be considered by the data controller upon identification of the risks attributable to processing of their personal data. For processing of personal data of individuals at such ages, we may therefore recommend the data controllers to make a data privacy impact assessment to identify the risks and to determine the appropriate measures for such processing activities.
Furthermore, the Turkish DPA found that TikTok had collected the personal information of children who are under the age of 13 without their parental consent for processing of such users’ personal data.
The Turkish DPA in its decision explicitly stated that users who are under 13 years old are children whereas it prefers the “user” wording for users who are 13-15 years old. In Turkey, normally, any person under 18 years of age is a child. Accordingly, parental consent is normally required for processing of their personal data although they are more than 13 years of age. On the other hand, according to the decision, the Turkish DPA implies that children at or above 13 years of age may consent to processing of their personal data as long as the data controller takes appropriate and additional measures for processing of their personal data, as the Turkish DPA has not explicitly referred to parental consent or how to establish parental consent mechanism.
For the reasons stated above, the Turkish DPA determined that TikTok failed to take the required administrative and technical measures to provide appropriate security level in order to prevent unlawful processing of personal data. Therefore, the Turkish DPA imposed an administrative fine of TRY 1,750,000 million (approximately EUR 87,500) to TikTok for violations of Article 12(1), in accordance with Article 18(1)(b) of the Law on Protection of Personal Data No. 6698 (the “Law”).
As a first reaction, the sanction amount is relatively low considering the maximum fine amount that can fined by the Turkish DPA introduced for 2023. In 2023, the upper limit of a sanction applicable to such breach is TRY 5,971,989 (approximately EUR 299,000.-) whereas the lower limit is TRY 89,571 (approximately EUR 4,500.-).
The Turkish DPA is competent to determine the amount of the sanction between the lower and the upper limits by taking into consideration the unfairness of the unlawful processing activity, the level of fault as well as financial condition of the data controller. Processing of children’ personal data without parental consent is a severe unlawfulness which also implies a gross fault of TikTok. For financial condition, although practitioners think that the turnover in Turkey mut be considered for data controllers outside Turkey, based on other decisions of the DPA, we are familiar that the DPA considered global turnovers to assess the financial condition of the data controller. In light of this, normally, we also expect the fine to be more close to the upper limit.
The sanctions in Turkey are subject to increase each year based on re-evaluation rate determined by the government considering the inflation rate etc. In 2021, the upper limit for the same breach was TRY 1,966,860.- (approximately EUR 98,340) whereas the lower limit was TRY 49,167.- (approximately EUR 2,450.-). From this perspective, the sanction imposed upon TikTok is very close to the upper limit applicable to the year 2021.
In addition to the administrative fine, the Turkish DPA also requested from TikTok to correct its continuing deficiencies in relation to privacy notices and language of the legal documents relating to processing of personal data.