TikTok ‘pauses’ privacy policy switch in Europe after regulatory scrutiny

TikTok has agreed to pause a controversial privacy policy update in Europe, which had been due to happen tomorrow, and would have meant the platform stopped asking users for their consent to be tracked to receive targeted advertising, TechCrunch has learned.

The Irish Data Protection Commission (DPC), TikTok’s lead privacy regulator for the European Union’s General Data Protection Regulation (GDPR), said the “pause” follows “engagement” between the oversight office and the tech giant yesterday.

“Further to engagement with the DPC yesterday, TikTok has now agreed to pause the application of the changes to allow for the DPC to carry out its analysis,” a DPC spokesperson told TechCrunch.

TikTok has been contacted for comment.

Update: A company spokesperson has now sent us this statement:

While we engage on the questions from stakeholders about our proposed personalised advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update.

We believe that personalised advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.

The development follows a formal warning to TikTok from Italy’s data protection watchdog yesterday, when the Italian regulator suggested the planned switch, away from asking users for their consent to run “personalized” ads to claiming it could process the data under a legal ground known as “legitimate interest” (which avoids the need to ask data subjects for consent), would breach the ePrivacy Directive — and, in its view, the GDPR too.

Privacy experts had also questioned the appropriateness of TikTok using a legitimate interest ground to run behavioral advertising.

Yet, as recently as yesterday, TikTok was still defending its plan.

Asked then about the Italian DPA’s formal warning, a TikTok spokesperson told us it was evaluating the notice — while simultaneously claiming to be “committed to respecting the privacy of our users, being transparent about our privacy practices, and operating in compliance with all relevant regulations“.

For legitimate interest to be a valid legal basis for processing personal data under EU law, a data processor must conduct a series of tests to assess, firstly, whether it has a legitimate purpose for carrying out the processing; and, secondly, that the processing is necessary for the purpose identified. But there is a third, balancing test — where it must consider the rights and freedoms of the individuals whose information would be involved.

The U.K.’s data protection watchdog, the ICO, has some cautionary guidance on the first two tests — warning data processors that:

You should be careful not to confuse processing that is necessary for your stated purpose with processing which is only necessary because of your chosen method of pursuing that purpose. In the context of legitimate interests, you may be able to argue that some non-essential features of your processing (such as profiling or marketing) are necessary for your purposes. However, this is only the case if you clearly identify the specific purpose behind those particular features, and don’t hide behind a vague business objective that could be achieved in another way.

But the balancing test is likely to be the biggest bar to TikTok’s attempt to use legitimate interests to run behavioral advertising as the test requires it to justify any impact on individuals — which can mean things like users’ ability to exercise their data protection rights and not lose control of their data or experience any social or economic disadvantage, per the ICO guidance.

The adtech infrastructural and algorithms which feed on the high velocity trading of personal data to run auctions for behavioral advertising have, meanwhile, been shown lacking adequate security to protect people’s information (as the GDPR requires); and been found acting as a conduit for myriad forms of discrimination, among other linked harms.

Such is the high bar set by the GDPR’s legitimate interest balancing test, that one EU DPA, the Dutch authority, has — per local press reports –taken the (exceptional position) that legitimate interests cannot be used for a commercial interest, period. Case law suggests the actual situation is more nuanced but trying to stick an entire behavioral advertising business model on an LI footing certainly merits very close attention from regulators.