The Data Protection Commission (DPC) of Ireland has initiated two own-volition inquiries against TikTok Technology Limited’s compliance with the General Data Protection Regulation (GDPR).
In a press release, the DPC said the first inquiry will examine TikTok’s compliance with the privacy by design requirements. It will evaluate the processing of personal data in the context of platform settings for users under 18 years of age, and age verification measures for persons under 13. Further, it will also examine the company’s compliance with the transparency obligations with respect to the processing of personal data of users under age 18.
The second inquiry will look into the transfer of personal data to China, and transfer to other third countries.
Why the Irish DPC?
The GDPR has a one-stop-shop mechanism. As such, businesses operating in more than one European Union market would need to deal with only one ‘lead’ data protection authority [Article 56]. Even if another supervisory authority receives a complaint, it shall refer the complaint to the lead supervisory authority. TikTok has its headquarters in Ireland, so the Irish Data Protection Authority would be the lead authority here.
Ireland is notably the lead regulator for many of the world’s top internet firms. However, the privacy advocates have criticized the Irish DPC for being lax with GDPR enforcement. The Commission also takes too much time to resolve cases. As of May 2021, the commission was the lead supervisory authority for 164 cases. However, 98% of the cases remain unresolved.
In July this year, the European Data Protection Board (EDPB) met after eight DPCs raised objections to the initial fine of €50 million against WhatsApp. Subsequently, the EDPB issued a binding decision and instructed the Irish DPC to reassess and increase its proposed fine. The DPC ultimately raised the fine to €225 million.
Citing the Irish DPC as a bottleneck, the Court of Justice for the European Union recently affirmed that in certain circumstances, a National Data Protection Authorities (DPA) can investigate a case even if it is not the lead data supervisor under the GDPR.
What is Privacy By Design?
Article 25 of the GDPR says that a data controller [official who decides the purpose of data processing, and how to process it] should implement appropriate technical and organizational measures at the stage of determining the means of processing and at the time of processing itself.
In simple terms, data controllers should aid the development of information technology systems in compliance with the data protection principles. Such an implementation would mean that by default, only personal data that is necessary for a specific purpose is processed.
In March this year, TikTok settled a privacy lawsuit in the US for $92 million. The lawsuit was initiated in the State of Illinois, known to have a strict privacy law. The petitioners alleged that TikTok failed to obtain consent to collect user data.
Restrictions regarding processing data of a child
Article 8 of the GDPR bars any data controller from processing the data of a child under 16 years of age. However, it can do so it obtains consent from the person who holds parental responsibility over the child.
Further, the controller shall make reasonable efforts to verify in such cases that consent is given by the guardian.