China-based TikTok appears to have evaded major issues in the United States, but is now facing fresh difficulties in Europe. Ireland’s Data Protection Commission (DPC), the lead regulator for TikTok in the European Union, has opened two probes into the company’s data handling practices. One probe calls its General Data Protection Regulation (GDPR) compliance into question due to data transfers to China. The other is on a theme that has been causing TikTok problems for years now: its collection and handling of the personal data of children.
Foreign data transfers, child safety continue to be issues for TikTok
Both of the probes are being handled by the Irish DPC due to TikTok basing its EU offices in Dublin. The company has a larger office in London, but the Brexit split put that beyond the reach of the GDPR as of the beginning of 2021.
The first issue, the handling of the data of underage platform users, is one that TikTok has grappled with in multiple countries dating back to its Western debut as Musical.ly in 2017. The app has faced regulatory scrutiny and lawsuits over collection of protected personal information (such as dates of birth and phone numbers) from minors and data transfers to third parties, as well as failure to screen adult content and dangerous “challenges” from the videos recommended to these users. While TikTok has updated its privacy policies and controls several times in response to these issues, the platform still essentially relies on self-reporting of age.
TikTok faces greater scrutiny in this area than most as its user base skews significantly younger than other social media apps and platforms. The Irish DPC’s probe specifically cites platform settings for users under age 18 and the age verification process for users under the age of 13 as items it is investigating.
The second DPC probe focuses on data transfers that TikTok may be sending back to China. This has become a hot-button issue in the EU in the wake of the Schrems II ruling last year, which set hard standards requiring that the protections of countries that EU personal data is transferred to be “essentially equivalent” to the terms of the GDPR. That created trouble for many foreign companies, with the headline item being suspension of data transfers to the United States. The US was taken off the “trusted partner” list due to federal policies requiring private companies to provide a great deal of access to the data of foreign citizens upon request; the government of China essentially requires unfettered access to everything that companies store within the country.
A spokesperson for the company said that “The privacy and safety of the TikTok community, particularly our youngest members, is our highest priority” and that it believed its child protection safeguards and legal agreements for foreign data transfers met the standards of the GDPR.
The Irish DPC announced that pressure from other EU data authorities and consumer complaints prompted it to open the probes into data transfers. TikTok has had a troubled year in the EU thus far, after seemingly dodging the ban from the US that the Trump administration had proposed in 2020. Italy opened the year by ordering TikTok to re-verify the age of all of its users in the country, after a 10 year old girl died while attempting a “blackout challenge” she had seen on the platform. In May, the European Commission formally asked TikTok to respond to a list of concerns about hidden advertising practices that target children. Consumer protection groups have also coordinated to file complaints on behalf of masses of users in the region, citing similar concerns about child safety as well as questionable privacy practices and unfair handling of its internal virtual currency system.
Addressing the issue of data transfers to China, TikTok has said that it makes use of Standard Contractual Clauses (SCCs) that guarantee data partners are taking measures (usually encryption) that provides EU residents with a sufficient level of personal data protection. That claim is tough to substantiate in China, however, given the government’s policy of forbidding encryption that it does not have a back door into.
Lead data protection authorities are supposed to review SCCs on a case-by case basis to determine if they are actually providing sufficient protection of user data. The Irish DPC has become infamous for its backlog of cases, as it is the lead agency for the majority of large tech companies that have operations in Europe.
The GDPR grants the authority to fine companies up to 4% of their annual global revenue in these cases, but the Irish DPC has yet to come near this amount and has been very hesitant to issue fines at all. Its most significant fine came earlier this month, €225 million (about $267 million) to WhatsApp for privacy violations. Its first fine of a big tech company was handed to Twitter (€450,000, about $547,000) in late 2020 after an investigation that lasted two years.