Ireland’s Data Protection Commission has added another “Big Tech” GDPR investigation to pile. Yesterday the regulator stated that it had opened two investigations into TikTok, a video-sharing platform.
This first section focuses on how TikTok treats children’s data and whether the company complies to Europe’s General Data Protection Regulation.
Additionally, the DPC stated that it would examine TikTok’s personal data transfers to China — where TikTok is located — to determine if they meet the requirements of the regulation governing personal data transfers to other countries.
TikTok was reached out to for comments on the DPC investigation.
We were told by a spokesperson:
The safety and privacy of TikTok members is our top priority. We have implemented numerous policies to protect user data. Additionally, we rely on standard contractual clauses for European data transfers. “We intend to cooperate fully with the DPC.”
Two “own volition” inquiries were announced by the Irish regulator in response to pressure from EU data protection authorities. Consumer protection groups have also raised concerns over TikTok’s handling of user data and information about children.
After concerns about child safety, the TikTok data protection watchdog initiated an emergency procedure using the GDPR powers to check TikTok’s age in Italy.
TikTok continued to follow the order , deleting more than half of a million accounts that could not be verified as children.
The GDPR, which governs children’s data sets limitations on processing of their information. This puts an age limit on children’s consenting to data use. While the EU member states have different age limits, there is a limit of 13 years for children to give their consent. Some EU countries limit this limit to 16.
TikTok responded to DPC’s inquiry by pointing out its age-gating technology as well as other methods it claims it employs to identify and eliminate underage users.
The most recent changes were also highlighted. These include flipping the default settings so that children’s data is kept private by default, and restricting their access to features that encourage interaction with TikTok users.
It claims that it uses “approved methods” for international data transfers. The reality is more complex than TikTok claims. The lack of an EU data adequacy deal with China complicates data transfers to China from Europeans.
TikTok has to ensure that any data transfer to China is legal.
Data controllers may rely on standard contractual clauses (SCCs), or corporate rules binding (BCRs) if there’s no adequate arrangement. TikTok has stated that it makes use of SCCs.
However, personal data transfers from the EU to third-country individuals have been subject to significant legal uncertainty since the landmark CJEU ruling last year that invalidated the US’s flagship agreement for data transfer and made clear that DPAs such as Ireland’s DPC have a duty of intervening and suspending transfers when they suspect data might have flown to countries where it may be in danger.
While the CJEU didn’t invalidate SCCs completely, they basically said that all international transfers of data to third-country countries should be evaluated on an individual basis. If a DPA is concerned, it must intervene and stop non-secure data flow.
CJEU’s ruling does not mean that the mere fact of SCCs being used doesn’t necessarily make a transfer legal. This also increases the pressure on EU agencies, such as Ireland’s DPC, to take proactive measures in assessing data flows that could be potentially dangerous.
The European Data Protection Board released final guidance earlier in the year. It provides information on so-called “special measures” that data controllers may be allowed to use to raise the protection surrounding their particular transfer to allow for legal takeover to third countries.
These steps could include strong encryption. It’s unclear how TikTok, a social media platform like TikTok, would apply this fix given its algorithms and platform that continuously mine users’ data in order to personalize the content and keep them interested with TikTok’s ad platform.
Another recent event is that China just passed the first data protection legislation.
This is not likely to affect EU transfer rates. China’s inability to comply with the EU’s strict requirements regarding data sufficiency would make it almost impossible due to the Communist Party’s continued appropriation and application of digital surveillance laws. If the US cannot get EU adequacy, it would make for ‘interesting’ geopolitical opticals.
TikTok should be encouraged by the fact that its EU compliance with data protection regulations is likely to continue.
A large backlog of GDPR cross-border investigations has been completed by the Irish DPC into several tech companies.
was the month when an Irish regulator issued its first judgment against Facebook. It imposed a $267M penalty on WhatsApp for violating the GDPR transparency rules. This decision came only years after first complaints were filed.
was the DPC’s first cross-border GDPR decision pertaining to Big Tech. It fined Twitter $550k for a data breach that occurred in 2018, which is the year the GDPR officially began.
The Irish regulator has still scores of unresolved cases against technology giants like Apple and Facebook on its table. This means the TikTok probes will join a well-known bottleneck. These probes are not likely to be approved for many years.
TikTok’s children’s data may be under closer scrutiny in Europe. The UK has added some “goldplaiting” to the EU’s GDPR. stated that it expected platforms to meet the recommended standards starting this month.
It warned platforms not adhering to its Age Appropriate Code may face sanctions under the UK GDPR. Social media platforms have made significant changes to how they treat children’s data in recent years, thanks to the UK’s Code.
Publiated at Wed 15 Sep 2021, 09:49:42 +0000