The Irish Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe to add to its stack: The regulator said yesterday it has opened two investigations into the video-sharing platform TikTok.
The first deals with how TikTok handles children’s data and its compliance with the European General Data Protection Regulation.
The DPC also said it will review transfers of personal data from TikTok to China, where its parent entity is based, seeking to see if the company meets the requirements set out in regulations covering transfers of personal data to countries. third.
TikTok has been contacted to comment on the DPC’s investigation.
A spokesperson told us:
“The privacy and security of the TikTok community, especially our younger members, is a top priority. We have extensive policies and controls in place to protect user data, and rely on approved methods for transferring data from Europe, such as standard contractual clauses. We intend to cooperate fully with the DPC.
The Irish regulator’s announcement of two ‘ex officio’ investigations follows pressure from other European data protection authorities and consumer protection groups who have expressed concerns about the way TikTok is handling data from users. users in general and children’s information in particular.
In Italy last January, TikTok was ordered to recheck the age of every user in the country after the data protection watchdog launched an emergency procedure, using the powers of the GDPR, to the result of child safety issues.
TikTok continued to comply with the order – removing over half a million accounts where it couldn’t verify users weren’t children.
This year, European consumer protection groups have also raised a number of child safety and privacy concerns regarding the platform. And, in May, EU lawmakers said they would revise the company’s terms of service.
Regarding children’s data, the GDPR sets limits on how children’s information can be processed, placing an age limit on children’s ability to consent to the use of their data. The age limit varies between EU Member States, but there is a strict limit on children’s ability to consent at 13 (some EU countries set the age limit at 16).
In response to the DPC’s investigation announcement, TikTok highlighted its use of age restriction technology and other strategies it said it uses to detect and remove underage users from its platform. form.
He also pointed out a number of recent changes to children’s accounts and data, such as reversing default settings to make their accounts private by default and limiting their exposure to certain features that intentionally encourage interaction. with other TikTok users if those users are over 16 years old. .
When transferring data internationally, it claims to use “approved methods”. However, the picture is a bit more complicated than TikTok’s statement suggests. Data transfers from Europeans to China are complicated by the EU’s lack of data adequacy agreement with China.
In the case of TikTok, this means that for any transfer of personal data to China to be lawful, it must have additional “appropriate safeguards” to protect the information in accordance with the required European standard.
Where there is no adequacy arrangement in place, data controllers can potentially rely on mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) – and TikTok’s statement says it uses SCCs.
But, crucially, transfers of personal data from the EU to third countries face significant legal uncertainty and increased scrutiny since a landmark CJEU ruling last year that invalidated an agreement. flagship of data transfer between the US and the EU and has made it clear that DPAs (like the Irish DPC) have a duty to step in and suspend transfers if they suspect that individuals’ data is being transferred to a third country where they could be threatened.
So while the CJEU has not completely invalidated mechanisms such as SCCs, it has essentially stated that all international transfers to third countries should be assessed on a case-by-case basis and when an DPA has concerns it does must intervene and suspend this insecure data. flows.
The CJEU ruling simply means that using a mechanism like SCCs does not in itself mean anything about the legality of a particular data transfer. It also increases the pressure on EU agencies like the Irish DPC to be proactive in assessing risky data flows.
The final guidance issued by the European Data Protection Board earlier this year provides details of “special measures” that a controller may be able to apply in order to increase the level of protection around. of their specific transfer so that the information can be legally taken to a third country.
But those steps can include technical measures like strong encryption – and it’s not clear how a social media company like TikTok could apply such a fix, given that its platform and algorithms are constantly exploiting the user data to personalize the content they see and to keep them engaged with TikTok’s advertising platform.
Another recent development is that China has just passed its first data protection law.
But, again, this is unlikely to change much for EU transfers. The Communist Party regime’s continued appropriation of personal data, through the enforcement of sweeping digital surveillance laws, means that it would be nearly impossible for China to meet the EU’s stringent requirements for it. data adequacy. (And if the US can’t get the EU to match, it would be an “interesting” geopolitical perspective, to put it politely, if the coveted status were granted to China…)
One factor that TikTok can be happy about is that it probably has time on its side when it comes to the EU’s enforcement of its data protection rules.
The Irish DPC has a huge backlog of cross-border GDPR investigations into a number of tech giants.
It wasn’t until earlier this month that the Irish regulator finally issued its first ruling against a Facebook-owned company – announcing a $ 267 million fine against WhatsApp for violating the transparency rules of the GDPR (but only doing so years after the first complaints were filed).
The DPC’s first decision in a cross-border GDPR case involving Big Tech came late last year – when it fined Twitter $ 550,000 for a data breach dating back to 2018, the year in which the GDPR has technically started to apply.
The Irish regulator still has dozens of indecisive cases on his desk – against tech giants like Apple and Facebook. This means the new TikTok probes join the back of a much-criticized bottleneck. And a decision on these probes is not likely for years.
When it comes to data on children, TikTok could be the subject of a faster review elsewhere in Europe: the UK has added a bit of gold to its version of the EU’s GDPR in the area of children’s data – and, as of this month, said it expects platforms to meet its standards recommendations.
He warned that platforms that do not fully engage with his age-appropriate design code could face penalties under the UK’s GDPR. The UK code has been credited with encouraging a number of recent changes by social media platforms to the way they handle children’s data and accounts.