The GDPR probe into the legality of the video sharing platform’s data transfers to China is being led by Ireland’s Data Protection Commission (DPC), TikTok’s lead privacy regulator in the region, which opened the inquiry just over a year ago. The DPC told TechCrunch today that it expects its TikTok data transfers inquiry to progress to the next stage in the coming months — with a draft decision slated to be sent to other EU DPAs for review in the first quarter of next year.
This ‘Article 60’ review process could lead either to an affirming of Ireland’s draft decision — which would then, in relatively short order, allow for a final decision to be issued (potentially before the middle of next year, judging by past inquiry timelines). However if other EU regulators raise objections to Ireland’s draft decision the inquiry would have to move to an ‘Article 65’ dispute resolution process — which could add many more months to the process before a final decision could be issued as the bloc’s regulators seek consensus.
But the disclosure of China staffers accessing European user data could also be a not-very-subtle attempt to preempt regulatory enforcement over its data transfers — and try to soften a future blow by being able to point to steps already taken to improve its transparency with European users. (Not that that is the only potential issue of regulatory concern vis-a-vis data exports, though.)
However in a blog post announcing the update, the company claimed the changes “include greater transparency into how we share user information outside of Europe”.
That’s notable because transparency is a key principle of the GDPR — while infringements of the transparency principle can lead to stiff penalties (such as the $267M fine for Meta-owned WhatsApp last year, after an Ireland-led inquiry found a string of transparency breaches).
So, if it’s transparency TikTok is really shooting for here it still looks like it has work to do.
Also still a work in progress for TikTok: A data localization project to store European users’ data in the region — which, earlier this year, it announced had been delayed again (until 2023).
Thing is, if TikTok intends to continue to allow employees located in countries with no EU adequacy agreement affirming they have essentially equivalent data protection standards as the bloc to have remote access to European users’ information then questions over the legality of its international data transfers are likely to persist.
But, as the EDPB guidance on data transfers points out, each transfer to a third country must be individually assessed and some may not be possible legally, even with supplementary measures applied. So every single one of these transfers will need to stand up to regulatory scrutiny.
Given so many third country transfers, TikTok’s European data localization project can only — at least for now — be considered a PR exercise. And/or an attempt to curry favor with local regulators in the hopes they take a kinder view of ongoing data exports. Unless or until it ceases data exports to third countries and finds a way to fully firewall its parent entity in China from being able to access any European users’ data in the clear.
TikTok’s spokesman declined to comment on any future plans it may have to further adapt its data transfers in light of these challenges but he pointed back to its blog post — which describes its approach to data governance in Europe as being “centred on limiting the number of employees with access to European user data, minimising data flows outside of the region, and storing European user data locally.”
TikTok’s wider problem is that it’s facing dialed up regulatory scrutiny across the Western world more generally as a result of security concerns attached to the Chinese state’s ability to gain access to data commercial platforms/services hold on their users — with national security laws in its home country overriding the usual standard contractual protections.
Its platform also collects an awful lot of user data — which only fuels concerns about its capacity to be repurposed as a data honeypot for state surveillance or even for ‘soft power’ foreign influence ops.
For example, TikTok recently agreed to freeze a controversial change to the legal basis it relies upon to run targeting advertising after a formal warning from the Italian DPA — and some follow-up “engagement” from the DPC — over a plan to remove consent (and claim a legitimate interest to run targeted ads). So its profiling and ad targeting model is facing challenges on a number of fronts, even as it tries to defend its business against wider, geopolitical-related security concerns.