TikTok, the video-driven social media platform, is facing two separate inquiries from Ireland's Data Protection Commission (DPC), marking the latest regulatory concerns over the popular video app.
The data regulator announced on Tuesday that it was examining TikTok’s compliance with Europe’s GDPR requirements in its processing of children’s personal data.
The DPC is also looking at the issue of transfers of data to China, where TikTok's parent ByteDance is based to see if they comply with the obligations set down by EU data protection law.
TikTok is very popular with teenagers, with about one-third of users reported to be aged between 10 and 19. The platform requires users to be aged at least 13 to have full uncurated access. Younger users often bypass this requirement by inserting a false birthdate.
The first DPC inquiry will examine the age verification measures used by the platform to ensure people under the age of 13 do not have free use of the site.
It will also look at the processing of personal data in the context of platform settings for users under the age of 18, as well as transparency requirements on how such data is processed.
Companies can be fined up to 4 per cent of annual global revenues, or €20 million, for GDPR breaches. ByteDance reported annual revenues of $34.3 billion in 2020, an increase of 111 per cent from the previous year. TikTok is in the process of opening an EU headquarters in Dublin.
"We've implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clause," the company said, adding that it would co-operate with the Irish regulator.
The investigations came as TikTok, which soared in popularity among teenagers during pandemic-related lockdowns, battles national security and privacy concerns worldwide.
Joe Biden’s administration is reviewing former president Donald Trump’s efforts to ban the app as a threat to national security amid wider fears that Chinese companies could share American citizens’ data with Beijing for espionage purposes.
TikTok has said it does not share American user data with the Chinese government. ByteDance held talks last year with several companies, including Microsoft and Oracle, over a potential sale of its US operations in an effort to resolve its tensions with Washington.
Separately, TikTok has been sued for several billion pounds for allegedly illegally collecting the personal information of millions of children in the UK and Europe. The claim, which is backed by Anne Longfield, the former children's commissioner of England, argues that children's data was collected without sufficient consent – which for underage users would need to be given by an adult – or transparency.
TikTok denied the claims, arguing that it had “robust policies” in place to “protect all users, and our teenage users in particular”.
The app has also faced child privacy complaints in the US. ByteDance was fined $5.7 million (€4.8 million) in 2019 by the Federal Trade Commission for illegally collecting children’s data.
In July, TikTok was fined €750,000 by the Dutch data protection authority for violating the privacy of child users. The regulator argued that, by not publishing its privacy policies in Dutch, the app failed to provide “an adequate explanation of how the app collects, processes and uses personal data” for younger users who do not speak English.
The platform has also been under investigation by the UK information commissioner’s office since 2019 over its handling of children’s data. TikTok said it would work with the investigation. – Additional reporting The Financial Times Limited 2021