Ireland's privacy regulator (DPC) has launched two investigations into the practices of social media platform TikTok. One of those investigations concerns the platform's compliance with the AVG rules when processing personal data of children. In the second investigation, the DPC is looking into TikTok's compliance with privacy rules when it transfers personal data to China and other countries outside the EU. The DPC announced this in a press release on Sept. 14.
The Irish privacy watchdog is primarily investigating whether TikTok meets the requirements of privacy by design and by default. The DPC also wants to know if TikTok is meeting its transparency obligations to children.
Any organization processing personal data must take appropriate technical and organizational measures to protect the rights of data subjects. Taking these measures is also important to comply with the various principles of data protection. One of those principles is minimal data processing. By using privacy by design and by default, a data controller, such as TikTok, must ensure that no more data is collected than necessary. Data protection by design and by default must be implemented even before processing personal data. Thus, this should already be considered during the design of the processing. Also during the processing of personal data, organizations should continuously consider whether the chosen measures are still effective. Organizations must also be able to demonstrate that the chosen measures are actually effective.
Examples of measures that can be taken are the pseudonymization of personal data and the introduction of privacy-friendly default settings. For example, a social media platform could limit the accessibility of profiles of (underage) users. That way, the profile cannot be viewed by just anyone. TikTok restricted the accessibility of profiles of users between the ages of 13 and 15 in January 2021. However, children themselves can set the profile back to public in the settings. In August 2021, TikTok introduced several measures to better ensure children's privacy. Whether the app is now privacy-friendly enough remains to be seen from the DPC's investigation.
Another important duty for the controller is to be transparent with data subjects. What personal data are being processed and for what purpose(s) is this processing taking place? The AVG fleshes out this obligation. The information that the controller provides to the data subject must be concise, easily accessible and understandable. This information must be given in clear and simple language. In some cases, it is even advisable to make (part of) the information visual. A layered privacy statement with links to the different sections of information can also be used. In this way, the data subject can navigate directly to a relevant section and the data controller prevents "information fatigue.
The controller must use the intended audience to estimate what information they will understand. This should be taken into account when drafting a privacy notice. Because TikTok had failed to do so, according to the AP, it was fined €750,000 on July 22, 2021. TikTok did not inform children about the processing of personal data in a way they could understand. The privacy statement was only available in English, according to the AP. TikTok has appealed against the fine and indicates that a shorter and more accessible version of the privacy statement is available in Dutch. Whether all the elements that make up the transparency requirement have been met is also central to the DPC's investigation.
The DPC's second investigation concerns the transfer of personal data by TikTok to China and other third countries. In principle, transfers of personal data may only take place to countries that the European Commission has determined to offer an adequate level of protection in a so-called "adequacy decision. If a third country does not offer an adequate level of protection, transfer may only take place on the basis of one of the legal provisions in the AVG. In some circumstances, model contracts from the European Commission may then be used, for example. In any case, China is not a country with an adequate level of protection established by the European Commission. Whether data transfers by TikTok to China and other countries outside the EU are permitted therefore depends on whether any of the legal provisions are met. The DPC examines whether these have been complied with by TikTok.
The House of Representatives has asked questions of the outgoing State Secretary for Economic Affairs and Climate Change in response to the announced study. It wonders what the government is doing to protect children in the Netherlands from the risks of mobile apps. In any case, the announced research shows the importance of transparent provision of information and implementing privacy by design and by default.
