This is how Tik Tok has been 'blocked' in Italy by resorting to the 'urgent procedure' of the EU GDPR (also applicable in Spain)

A death shook Italy at the end of last week: little Antonella Sicomero, only 10 years old, died of suffocation as consequence of your participation in the viral challenge #BlackoutChallenge, spread through Tik Tok, a network in which Antonella herself was an active participant.

This tragic event therefore triggered an unprecedented response in his country: The authorities (specifically the Italian body dedicated to data protection) decided to "block" Tik Tok.

Although they have not done it by preventing access through a DNS block or some other similar method, but ordering the social network to freeze the processing of personal data of users whose age you couldn't verify, including processing logins.

And, in the absence of such verification, Tik Tok cannot rule out - as Antonella's death shows - that "even those under the age of thirteen are using your service, theoretically intended for an audience older than that age ".

"From Tik Tok they will not be able to implement any treatment of personal data without being reasonably sure that there is a validly signed contract and / or a valid consent".

This clarification corresponds to statements by Guido Scorza, representative of the Italian body dedicated to data protection, made to the newspaper La Stampa. In this medium, Scorza also clarifies that, now, it is up to the social network to establish the exact mechanism to comply with the conditions set forth above.

First use of the GDPR 'rush procedure'

Legally speaking, what is interesting about this case is the legal mechanism chosen to make a decision of this caliber: this is the first case in which the "Emergency Procedure" of the RGPD (the regulation that regulates the use of personal data within the EU).

Said regulation, in its article 66, grants the data protection authorities powers to "intervene to protect the rights and freedoms of interested parties" through the immediate adoption of

"Provisional measures designed to produce legal effects in its own territory, with a specified period of validity that may not exceed three months."

In the words of Samuel Parra, a lawyer specialized in the RGPD and privacy, said article of the RGPD

"is thinking precisely to be able quickly tackle a serious situation with regard to the processing of personal data, without the need to initiate an entire administrative procedure, which can last months ".

"In this case, the Italian guarantor has considered that the death of the girl is reason enough to intervene, especially when It had already been warning Tik Tok that it was not processing personal data in accordance with the regulations Italian data protection ".

Why even with intimate aspects there are many people who want to be viral and that the whole world see them

The privacy of minors according to the RGPD


Faced with the voices that have been raised arguing that this type of data verification constitutes in itself a threat to privacy (voices with which Scorza is very critical in his interview), Parra explains that, on the contrary, what is being done here is

"Protect user privacy: if you are a minor you do not enter and we protect you, if you are older, you enter in accordance with the data protection regulations ".

The RGPD establishes that this age of majority is reached at 16 years, but allows each member state to lower it to 13 years: In Spain, for example, the age of majority in data protection has been established at 14 years.

"This means that if a 13-year-old child wants to use a social network, in theory there should be a procedure by which the parents can consent to such treatment of the minor, or else establish a mechanism that prevents a 13-year-old can register. This is precisely the problem that they attribute to Tik Tok in Italy. "

Article 8.2 of the Regulation sheds more light on the obligations applicable to Tik Tok (and to any other online service operating in the EU):

"The person responsible for the treatment will make 'reasonable' efforts to verify that the consent was given or authorized by the holder of parental authority or guardianship over the child, taking into account the available technology."

A European pro-privacy regulation forces social networks to deactivate their online child abuse detection systems

"This same measure could be adopted in Spain"

Parra explains that "this same measure could be adopted in Spain, because the RGPD is the same for all members of the European Union":

"This is one of the achievements of the RGPD: to establish a common framework of rights and obligations for the entire territory of the European Union, therefore, our Spanish Agency for Data Protection could also resort to that article 66 of the RGPD and impose a measure similar if deemed necessary ".