GDPR and Child protection – a 12-year old girl takes on tech giant TikTok

A UK High Court judge has granted permission for a class-action style privacy lawsuit to proceed against TikTok, over its handling of children’s data. The lawsuit was filed by a then 12-year-old girl, who has been granted anonymity by the court, to bring the claim that the social networking site is processing children’s data unlawfully.

The suit is seeking damages on behalf of millions of children for alleged abuse of their information — and if the legal action succeeds, TikTok could be on the hook to pay billions of euros in compensation.

A similar compensation-seeking children’s data, GDPR child protection suit, has also been filed against TikTok in the Netherlands.

Both class action lawsuits are depending on GDPR’s article 80.

The privacy officers of many larger companies, and e-commerce platforms, have had some sleepless nights, thinking about the possible consequences of article 80 GDPR. Article 80 GDPR, contains rules on the powers of non-profit entities, active around the protection of data subjects’ rights, and freedom with regard to GDPR.

In the first place, article 80(1) GDPR gives those non-profits the right to act when they are directly mandated by a specific data subject. So a non-profit can lodge a complaint, or file a court case concerning GDPR, in the name of, and on behalf of, a specific person. This will need proof  (e.g. a signed mandate) that the specific person asked the non-profit to do so. This, of course, is not what keeps privacy officers awake at night.

GDPR Article 80(2)

It is the next part that causes their concern. Article 80(2) GDPR contains an opening clause: Where, provided for by a Member State law, a non-profit has the right to lodge complaints or to file judicial remedies under GDPR independently of a data subject’s mandate. This is if the NPO considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.

This, of course, opens the door for the dreaded class action lawsuits, and that is exactly what recently happened. Two Courts, from 2 different EU Member States, granted permission for a GDPR related Class Action.

In a decision of 26.05.2021 The Commercial Court of Vienna ruled that legal actions, by an Austrian consumer protection institution under the Austrian Consumer Protection Act, may also be based on violations of the GDPR. And in its decision of 12.07.2021, the District Court of Amsterdam held, that the Data Privacy Foundation, a non-profit organisation in the Netherlands, could litigate in a Dutch court, against Facebook on behalf of Dutch Facebook users, on the question of whether Facebook has a valid legal basis for its processing activities.

Both decisions made direct reference to article 80(2) and allowed the non-profits to act independently of a direct mandate and thus, hold class action proceedings.

More class actions against Facebook, Tik Tok, Salesforce, Youtube

Since then, we have seen class actions against Facebook, Tik Tok, Salesforce and Youtube… There is no doubt more will follow suit.

Let’s consider the fact that according to the EDPB all participants on an e-commerce platform, are joint controllers. So if a retailer on the platform is in breach with GDPR, the platform operator can also be liable for the breach by this retailer.

If we combine this knowledge with the fact that GDPR related class actions are possible, it is easy to see why privacy officers are having sleepless nights.


Want to know more about social media and privacy? This article provides more insight.