Ireland’s Data Protection Commission (DPC) has another ‘big tech’ GDPR investigation to add to its pile: The regulator said yesterday that it has opened two investigations into the video sharing platform TikTok.
The first covers how TikTok handles children’s data, and whether it complies with Europe’s General Data Protection Regulation.
The DPC also said it would investigate TikTok’s transfer of personal data in China, where its parent entity is based – to see whether the company meets the requirements set out in a regulation covering personal data transfer to third countries. Is.
TikTok was contacted for comment on the DPC’s investigation.
A spokesperson told us:
“The privacy and security of the TikTok community, especially our youngest members, is a top priority. We have implemented comprehensive policies and controls to protect user data and rely on accepted methods for data being transferred from Europe, such as standard contractual clauses. We intend to cooperate fully with DPC.”
The Irish regulator announced the two “will of itself” inquiries following pressure from other EU data protection authorities and consumer protection groups, who have raised concerns that TikTok has been tampering with user data in general and children in particular. how it handles the information.
In Italy this January, TikTok was ordered to re-check the age of every user in the country after the data security watchdog instigated an emergency process using GDPR powers following child safety concerns. .
TikTok complied with the order – removing more than half a million accounts where it could not verify that users were not children.
This year European consumer protection groups have also raised several child safety and privacy concerns about the platform. And, in May, EU lawmakers said they would review the company’s terms of service.
On children’s data, GDPR sets limits on how children’s information can be processed, imposes age limits on children’s ability to consent to their data use. The age limit varies for each EU member state, but there is a hard limit for the ability of children to consent at age 13 (some EU countries set an age limit of 16).
In response to the announcement of the DPC investigation, TikTok pointed to the use of age gating technology and other strategies it said it uses to detect and remove underage users from its platform.
It also flagged a number of recent changes made around children’s accounts and data – such as flipping the default settings to make their accounts privacy by default and limiting their exposure to certain features that Intentionally encourage interaction with other TikTok users if those users are over 16.
It claims to use “approved methods” on international data transfer. However, the picture is much more complicated than TikTok’s statement. Transferring Europeans’ data to China is complicated due to the lack of an EU data adequacy agreement with China.
In the case of TikTok, this means that for the transfer of any personal data in China to be valid, the required EU standard requires additional “appropriate safeguards” to protect the information.
When there is no adequacy mechanism in place, data controllers could, potentially, rely on mechanisms such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) – and in TikTok’s statement it uses SCC.
But – crucially – personal data transfers from the EU to third countries have faced significant legal uncertainty and have been under scrutiny since a landmark ruling by the CJEU last year, which saw a major data dispute between the US and the EU. invalidated the transfer arrangement and made it clear that it is the duty of DPAs (such as Ireland’s DPC) to take action if they suspect that people’s data may be flowing into a third country where this risk may occur. Pick up and suspend the transfer.
So while the CJEU did not outright invalidate mechanisms such as the SCC, they essentially stated that all international transfers to third countries should be assessed on a case-by-case basis and that where DPAs are concerned, they should be considered for those non-discriminations. Steps should be taken to secure data and suspend them. flows.
The CJEU’s decision just means the fact of using an SCC-like mechanism does nothing in itself: the legality of a particular data transfer. It also increases pressure on EU agencies such as Ireland’s DPC to be proactive in assessing risky data flows.
Earlier this year, final guidance, given by the European Data Protection Board, provided details on so-called ‘special measures’ that a data controller may be able to implement to increase the level of protection around its specific transfers so that The information may be legally transported to a third country.
But these steps could include technical measures such as stronger encryption – and it’s unclear how a social media company like TikTok will be able to implement such improvements, given how its platform and algorithms continually protect users’ data from their data. are mined to optimize the content that we see and so that they can be linked to the advertising platform of Tiktok.
In another recent development, China has passed its first data protection law.
But, again, this is unlikely to change much for EU transfers. The ongoing appropriation of personal data by the Communist Party regime through the application of comprehensive digital surveillance laws means that it will be impossible for China to meet the EU’s stringent requirements for data adequacy. (And it would be ‘interesting’ geopolitical optics if the US couldn’t get enough of the EU, to put it politely, was the prestigious status given to China…)
One factor TikTok may take to heart when it comes to the EU’s enforcement of its data protection rules is likely to be timing on its side.
The Irish DPC has a large backlog of cross-border GDPR investigations into several tech giants.
Earlier this month the Irish regulator finally issued its first ruling against the Facebook-owned company – announcing a $267M fine against WhatsApp for violating GDPR transparency rules (but only a few years after the first complaints were filed) to do so).
The DPC’s first decision in a cross-border GDPR case related to Big Tech came late last year – when it fined Twitter $550k over a data breach dating back to 2018, the year the GDPR technically began applying .
The Irish regulator still has countless cases on its desk – against tech giants including Apple and Facebook. This means that the new TikTok investigation adds up to a very critical hitch. And decisions on these investigations are unlikely to last for years.
On children’s data, TikTok may face rapid scrutiny elsewhere in Europe: the UK has added some ‘gold-plating’ to its version of the EU GDPR in the area of children’s data – and, this month Since then, it has said that it expects the platform to meet its recommendation. Standard.
It has warned that platforms that do not fully comply with its age appropriate design code could face penalties under the UK’s GDPR. The UK code has been credited with encouraging a number of recent changes by social media platforms to how they handle children’s data and accounts.