Having already been banned from its second-largest market (India) and facing the immediate possibility of a ban from its third-largest market (the United States), it’s fair to say that TikTok is having an even rougher 2020 than most companies. The bad news continues to come for the beleaguered Beijing-based social media app as it is now facing added scrutiny in the European Union, with French privacy regulator CNIL opening a probe into parent company ByteDance’s operations following a complaint made in May.
French privacy regulator to examine data sent to China, app’s access to minors
The involvement of the French privacy regulator appears to stem from a citizen complaint in May about content being hosted without permission on the video sharing app. CNIL said on Tuesday that the complaint had initially been closed for procedural reasons, due to failure by the complainant to first contact TikTok about the matter.
The privacy regulator has not released much more public information as of yet, but it appears that the complaint somehow triggered a more expansive probe of TikTok’s operations. CNIL told Reuters that it was looking at how much user information TikTok passes back to ByteDance and what rights users have to observe and control that flow of data. It is also examining whether TikTok is taking appropriate measures to ensure the safety of minors on the platform.
With this move the French data privacy watchdog joins other EU privacy regulators that have established at least some level of inquiry into TikTok’s handling of user data. EU data protection authorities agreed in June to coordinate any potential investigations into TikTok after the Netherlands data protection commission (DPC) raised concerns over the app’s handling of children’s data. In response to facing broader scrutiny, TikTok has said that it is “fully cooperating” with all probes in the EU.
Could location matter for TikTok?
TikTok’s central offices in Europe are in London, but it also has offices in Paris as well as Dublin and Berlin. The company has expressed a desire to set up a new data center in Dublin, which would likely require the approval of a joint task force. If the data center is built it would process all of the personal data that TikTok collects in the EU.
This process could mean that the examination of ByteDance would shift from the French privacy regulator to Ireland’s top data privacy watchdog. That in turn could mean big delays in a decision on the data center, as the Irish privacy regulator has been backed up with cases for some time given that most tech companies headquarter in Dublin for tax reasons.
Developments in the US might also have a bearing on the results in the EU. The Trump administration has required that ByteDance either find a US buyer for its operations by mid-September or stop doing business in the country. Microsoft is currently the leading name among suitors and confirmed in early August that it was interested in purchasing TikTok, possibly allowing for other investors to get in on partial ownership. There have also been reports of interest by Twitter and an investment group led by Sequoia Capital and General Atlantic.
A full sale of TikTok’s operations and relocation to the US would not necessarily solve the privacy regulator issues in the EU, however. The US and EU are currently embroiled in a separate data processing conflict resulting from the invalidation of the international Privacy Shield agreement by the EU’s highest court. At present, it is technically impermissible for EU organizations to send personal data to the US unless a contractual agreement is in place that satisfies all privacy concerns in accordance with the terms of the General Data Protection Regulation (GDPR). The two countries are discussing an update to Privacy Shield, but it is expected that any new legislation will be challenged in court as well until there is federal-level data privacy reform in the US.
Regardless of where it is headquartered, the Privacy Shield ruling means that TikTok could be in violation of the GDPR if it passes EU citizen personal information to any servers located in China or in any other country that does not have a GDPR-equivalent national privacy law in place. The crux of TikTok’s recent problems is China’s National Intelligence Law. This law essentially requires any company based in China to turn over the personal data it collects to the government upon request, with nothing meaningful in the way of any independent judicial oversight.
While TikTok may be able to demonstrate that it is not actively funneling data to the CCP government, these assurances are essentially meaningless so long as it is headquartered in China. The National Intelligence Law allows the country access to all of this personal data without due process whenever it might happen to desire it, and without any visibility into the process from outside of the country.
Under the terms of the Privacy Shield ruling, any company making use of servers in China (or retaining third-party vendors that make use of such servers) would be found by privacy regulators to be in violation of the GDPR terms as well. The app’s best overall hope would thus appear to be a buyout by Microsoft or some similar US company followed by a speedy update to the Privacy Shield framework; otherwise, it might find itself locked out of all of its biggest international markets by the end of 2020.