BEIJING: TikTok faces privacy investigations by EU watchdog

BEIJING: The watchdog is looking into
its processing of children’s personal data, and whether TikTok is in line with
EU laws about transferring personal data to other countries, such as China.

TikTok
said privacy was “our highest priority”.

The Irish
DPC said it was specifically looking into GDPR-related issues.

These are
the EU privacy laws which can potentially lead to enormous fines of up to 4% of
a company’s global turnover.

It said
the first inquiry would examine “the processing of personal data… for
users under age 18, and age verification measures for persons under 13″.
It will also look into how transparent TikTok has been about how it processes
such data.

It is not
the first time the Irish DPC has investigated such matters. In October 2020, it announced it was looking into Instagram’s
handling of children’s personal data.

And
Tiktok has already faced a similar collective legal
action in the UK, spearheaded by a former children’s commissioner.

It is
around “transfers by TikTok of personal data to China”, the DPC said.
TikTok is owned by Chinese company ByteDance, and has repeatedly faced
accusations that it shares data with Chinese companies – or even the Chinese
government, something the firm strenuously denies.

During
Donald Trump’s presidency, it was nearly banned in the US – although that order has since been dropped.

The DPC’s
investigation is more tightly concerned with whether TikTok is obeying EU rules
on transfers of data to so-called “third countries” – places to which
the EU has not given a seal of approval over their privacy laws.

TikTok
has already made a series of changes to its systems to fend off both
allegations.

In
January, it made all under-16s’ accounts private by
default, as part of a bid to improve child safety on the platform.

It
followed that up in July by deleting millions of
accounts which it said belonged to under-13s, who are not supposed
to be allowed on the platform at all.

And in
August, it announced it would no longer send push
notifications to children’s accounts during certain times of the
day, saying it was designed to help children study, relax, and sleep.

In a
statement, TikTok said: “We’ve implemented extensive policies and controls
to safeguard user data and rely on approved methods for data being transferred
from Europe, such as standard contractual clauses. We intend to fully
co-operate with the DPC.”

The Irish
data commissioner takes a lead role in regulating many of the world’s largest
tech firms, as the European headquarters of companies such as TikTok, Facebook,
and Google are all based in Ireland.

However,
it has been accused by some of having a lax approach to enforcement.

For
example, it recently handed WhatsApp the
second-largest GDPR fine on record, of €225m (£193m).

It
initially recommended a much smaller fine of €30m-50m, but faced objections
from the data watchdogs of several other EU states. The disagreement eventually
went before a formal EU board, which told the Irish DPC to change its finding
and issue a higher fine.

Max
Schrems, a well-known privacy advocate and established critic of the Irish
regulator, said at the time that incident “shows how the DPC is still
extremely dysfunctional”.