Ireland Investigates TikTok Data Handling & China Transfers

TikTok Faces New GDPR Investigations by Ireland’s DPC

Ireland’s Data Protection Commission (DPC) has initiated two new investigations concerning the video-sharing platform TikTok, adding to its existing workload of Big Tech GDPR probes.

Focus of the Investigations

The first investigation will concentrate on TikTok’s processing of children’s data and its adherence to the stipulations of Europe’s General Data Protection Regulation.

The second inquiry will examine the transfer of personal data from TikTok to China, where its parent company is located. This assessment will determine if the company fulfills the regulatory requirements for transferring personal data to nations outside of Europe.

TikTok’s Response

TikTok has been contacted for a statement regarding the DPC’s investigations.

A company spokesperson acknowledged the announcement of the two “own volition” inquiries, which followed mounting pressure from EU data protection authorities and consumer advocacy groups. These groups have expressed concerns about TikTok’s overall handling of user data, particularly information pertaining to children.

Previous Actions and Concerns

Earlier this year, in Italy, TikTok was mandated to re-verify the age of all users within the country. This action stemmed from an emergency procedure initiated by the data protection watchdog, leveraging GDPR powers, due to child safety concerns.

TikTok complied with the directive, resulting in the removal of over half a million accounts where user ages could not be reliably confirmed.

Throughout the year, European consumer protection organizations have consistently voiced concerns regarding child safety and privacy issues on the platform. Furthermore, EU legislators indicated in May that they would review TikTok’s terms of service.

GDPR Regulations Regarding Children’s Data

The GDPR establishes limitations on the processing of children’s information, including an age threshold for consent regarding data usage.

While the specific age limit varies across EU member states, a general cap of 13 years old exists, with some countries setting the limit at 16.

TikTok’s Existing Measures

In response to the DPC’s inquiry, TikTok highlighted its implementation of age-gating technology and other strategies designed to identify and remove underage users from the platform.

The company also pointed to recent modifications made to children’s accounts and data handling practices, such as defaulting to private settings for children’s accounts and restricting access to features that encourage interaction with users over the age of 16.

International Data Transfers and Challenges

TikTok asserts its use of “approved methods” for international data transfers. However, the situation is more complex than this statement suggests.

Data transfers from Europe to China are complicated by the absence of an EU data adequacy agreement with China.

Consequently, for any personal data transfer to China to be lawful, TikTok must implement additional “appropriate safeguards” to ensure the information is protected to the required EU standard.

Legal Uncertainty and CJEU Ruling

Mechanisms like Standard Contractual Clauses (SCCs) and binding corporate rules (BCRs) can be utilized when an adequacy arrangement is lacking. TikTok confirms its use of SCCs.

However, a landmark ruling by the Court of Justice of the European Union (CJEU) last year introduced significant legal uncertainty surrounding international data transfers. The ruling invalidated a key data transfer arrangement between the U.S. and the EU and clarified that DPAs, like Ireland’s DPC, have a responsibility to suspend transfers if data risks are identified.

While the CJEU did not invalidate SCCs outright, it mandated a case-by-case assessment of all international transfers, and empowered DPAs to intervene and halt insecure data flows.

Guidance from the European Data Protection Board

The European Data Protection Board (EDPB) issued guidance earlier this year detailing “special measures” that data controllers can implement to enhance data protection during transfers to third countries.

These measures may include technical solutions like strong encryption, but their applicability to social media platforms like TikTok, which rely on continuous data mining for personalization and advertising, remains uncertain.

China’s Data Protection Law

China recently enacted its first data protection law.

However, this is unlikely to significantly impact EU transfers, as the Chinese Communist Party’s extensive digital surveillance practices and appropriation of personal data make it improbable for China to meet the EU’s stringent data adequacy requirements.

DPC Backlog and Enforcement Timelines

TikTok may benefit from the Irish DPC’s substantial backlog of cross-border GDPR investigations involving numerous tech giants.

The DPC only recently issued its first decision against a Facebook-owned company, imposing a $267 million fine on WhatsApp for GDPR transparency breaches – years after the initial complaints were filed.

The DPC’s first cross-border GDPR case against a Big Tech company concluded last year with a $550,000 fine for Twitter related to a 2018 data breach.

The DPC currently has numerous undecided cases involving companies like Apple and Facebook, meaning the new TikTok probes will join a heavily criticized bottleneck. A decision on these investigations is not anticipated for several years.

UK’s Age-Appropriate Design Code

TikTok may face more immediate scrutiny in the UK, which has strengthened its version of the EU GDPR regarding children’s data. The UK has introduced an Age Appropriate Design Code and expects platforms to adhere to its recommended standards.

The UK’s code has been credited with prompting several recent changes by social media platforms in their handling of children’s data and accounts, and platforms that fail to comply could face penalties under the UK’s GDPR.