‘TIKTOK AND THE DATA PROTECTION OF CHILDREN: Where do we stand right now?’
Guest post by Hanne Minke
Swipe, swipe, swipe, and swipe. This is probably what everybody knows the Chinese TikTok application (hereinafter: TikTok) for. TikTok provides us an endless amount of video content, which is very addictive for its users. As the TikTok community has grown rapidly, it is interesting to wonder how TikTok is improving its privacy- and data protection practice.1 Especially, since TikTok has many users, who are under eighteen. Research showed that in 2020 already 18 million users of TikTok were under the age of fourteen.2 Because of this, TikTok has made the news several times due to its lacking policies concerning privacy- and data protection, especially when it comes to minors. Therefore, this paper will outline the following research question: ‘Since TikTok faced several enforcement cases, to what extent is TikTok improving its privacy- and data protection practice to minors, when taking the GDPR into consideration?’ This is important since children are very vulnerable while engaging online.3 Children do not look the same to the value of their privacy as adults. When processing children’s data is not being done carefully, children can become an easy victim of exploitive data collecting methods.4 This essay has the following structure: to begin with, it will outline the General Data Protection Regulation 206/679 (hereinafter: GDPR) and how that is important considering TikTok. After that, it will point out several cases against TikTok. Then, this essay will investigate the improvements TikTok might or might not made. Finally, there will be a conclusion followed by a recommendation.
II. The GDPR
The European Union (hereinafter: EU) expended its data- collecting and processing protection policies, by introducing the GDPR in 2018.5 The GDPR is the European legal framework for data protection of natural persons, as Article 1 of the GDPR explains.6 Whether the GDPR is applicable, needs to be determined throughout Article- 2 and 3 of the GDPR. Article 2 covers the material scope, Article 3 the territorial scope of the GDPR. Especially Article 3(1) deserves being mentioned, since this article clarifies that the GDPR covers data protection against organizations that process data inside and outside the EU.7 TikTok did not have an European headquarter until July 29, 2022, but can still be held liable for neglecting the GDPR, before they were situated in the EU.8 This follows out of Recital 22 of the GDPR, which explains that it is important that any form of data processing, of EU citizens, even though the processing takes place outside the EU, falls within the scope of the GDPR.9 Further, Article 4 is important, because it runs over the purpose of the GDPR, namely cases conducting ‘personal data being processed’.10 Article 4(1) defines ‘personal data’ as: any information relating to an identified or identifiable natural person. Article 4(2) explains that ‘processing’ means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’ If Article 2(1), Article 3(1), Article 4(1), and Article 4(2) are being reviewed, it can be concluded that TikTok can be held liable for neglecting the GDPR when collecting and processing personal data of EU citizens.11 Therefore, TikTok has been, or is, facing several claims due to actions or policies not aligning with the GDPR.
III. Relevant enforcement cases
III. Are there improvements considering TikTok’s data-protection and processing practice noticeable?
As mentioned above, TikTok and its privacy- and data processing practices are being watched closely, especially when this relates to children. Numerous claims have been made against the company, since the GDPR has been implemented back in 2018. Do I notice any improvements on TikTok its privacy- and data processing practices? Since TikTok faced several claims due to violating GDPR rights, it seems logic that TikTok would be more careful, or at least more transparent. But two months ago, the Irish Data Protection Commission (Hereinafter: DPC) announced that it will indicate several fines, because they had a big investigation on how TikTok is processing children’s data.34 The investigation was mostly about children’s data processing and age verification.35 The draft decision mentions that the decision on the preliminary fines is being considered under Article 60 GDPR by other data protection regulators in the EU.36 However the DPC has not mentioned any amount yet.37 Even though, there are still ongoing investigations when it comes to TikTok its data- processing and protection practices, it seems like TikTok is willing to improve things, based on the claims that have been made. For example, TikTok blocked the live chat and video streaming function for children who have not reached the age of sixteen. Besides this, TikTok extended parental control when it comes to inappropriate content.38 Furthermore, TikTok seems to take Article 12(1) more into account, since it for example started to provide privacy policies in Dutch, instead of in English, for users in the Netherlands.39 TikTok also made all the accounts private of users who are under the age of sixteen and removed the option to change your age by yourself, the only way people are able to do so, is by contacting customer care. If this option would be chosen, additional information to confirm your age and identity needs to be provided.40 Besides this, TikTok changed its default settings for minors, based on the assaults the Italian DPA investigation resulted in.41 Even though, TikTok seems to have made several improvements when it comes to privacy- and data protection of minors, there is still a lack of transparency and protection.42 After investigating the app, I did not notice a proper age verification system, or a system that checks whether guardians gave their consent for using the app. A legal basis for processing children their data seems to be missing as well. So, however TikTok appears to be improving, there is still work to be done.
IV . Conclusion
If the GDPR is considered, when it comes to TikTok its data- protection and processing practices, especially to minors, several breaches can be noticed. The Dutch DPA, as well as British authorities, The Italian DPA and the French ‘watchdog’ imposed fines, or are investigating TikTok, because of its data- protection and processing practices. Even the Irish DPA announced that they might fine TikTok. Even though TikTok has made several improvements, such as providing its policies in native languages, accounts of children under sixteen are private, the option to change your age manually is being removed and the default settings for minors have been changed. However, there is still a lot of room for improvement. Stating that TikTok is already there considering its privacy- and data protection practices relating to minors, would be a bridge to far for me. Huge steps can be made, starting with providing more transparency on how data of children is being processed and protected, but also how their privacy can be genuinely guaranteed. In the United States TikTok is already facing a total ban.43 So, for the online platform to remain the rising star in social media, I would suggest that they keep investing in a safe environment for minors considering their data and privacy, but in general a transparent and well protected application for children. Starting with a proper age verification and consent mechanism, as well as a legitimate legal ground for processing children’s data.
1 Samuel M Roth, ‘Data Snatchers: Analyzing TikTok’s Collection of Children’s Data and Its Compliance with Modern Data Privacy Regulations’ (2021) 22 Journal of High Technology Law 1, p3.
2 Paige Leskin, ‘TikTok Reportedly Has 18 Million Users Who Are 14 or Younger, Renewing Concerns for Children’s Safety’ (Business Insider) <https://www.businessinsider.com/tiktok-children-users-data-privacy-safety-concerns-coppa-ftc-report- 2020-8> accessed 14 December 2022.
3 Roth (n1), p. 34.
4 Roth (n1), p. 35.
5 Roth (n1), p. 7.
6 ‘Art. 1 GDPR – Subject-Matter and Objectives’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-1- gdpr/> accessed 14 December 2022.
7 Art. 3 GDPR – Territorial Scope’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-3-gdpr/> accessed 14 December 2022.
9 ‘Recital 22 - Processing by an Establishment’ (General Data Protection Regulation (GDPR)) <https://gdpr- info.eu/recitals/no-22/> accessed 14 December 2022.
10 ‘Art. 4 GDPR – Definitions’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-4-gdpr/> accessed 14 December 2022.
11 Tan and Ta (n 11), p. 3.
12Autoriteit Persoons Gegevens, ‘Decision to impose a fine on Tiktok’ <https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/decision_to_impose_a_fine_on_tiktok.pdf> accessed 14 December 2022, p. 3.
13‘Dutch DPA: TikTok Fined for Violating Children’s Privacy | European Data Protection Board’ <https://edpb.europa.eu/news/national-news/2021/dutch-dpa-tiktok-fined-violating-childrens-privacy_en> accessed 16 December 2022.
15 ‘Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject’ <https://www.gdpr.org/regulation/article-12.html> accessed 14 December 2022.
16 Tan and Ta (n 11), p. 1.
17 Tan and Ta (n 11), p. 2.
18 Tan and Ta (n 11), p. 2.
19 Mark Sweney, ‘TikTok Could Face £27m Fine for Failing to Protect Children’s Privacy’ The Guardian (26 September 2022) <https://www.theguardian.com/technology/2022/sep/26/tiktok-fine-protect-children-privacy-uk-data-protection> accessed 14 December 2022.
20 Emma Woollacott, ‘TikTok Warned Of Possible $29 Million Fine For Processing Children’s Data’ (Forbes) <https://www.forbes.com/sites/emmawoollacott/2022/09/27/tiktok-warned-of-possible-29m-fine-for-processing- childrens-data/> accessed 14 December 2022.
21 ‘Art. 8 GDPR – Conditions Applicable to Child’s Consent in Relation to Information Society Services’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-8-gdpr/> accessed 14 December 2022.
22 Sweney (n 20).
23 Eva Lievens, ‘Dutch DPA Fines TikTok for Not Offering Understandable Information to Children’ (2021) 7 European Data Protection Law Review (EDPL), p. 427.
24 Roth (n 1), p. 34.
25 Lievens (n 24), p. 426.
26 Lievens (n 24), p. 426.
27 ‘TikTok Has until Friday to Respond to Italy’s Order to Block Users It Can’t Age-Verify after Girl’s Death | TechCrunch’ <https://techcrunch.com/2021/01/25/tiktok-has-until-friday-to-respond-to-italys-order-to-block-users-it-cant-age-verify- after-girls-death/> accessed 14 December 2022.
32 Roth (n1), p. 34.
33 Roth (n1), p. 32.
34 Gordon Deegan, ‘DPC to Impose “Preliminary Range of Fines” on TikTok over Children’s Data’ (The Irish Times) <https://www.irishtimes.com/business/2022/11/24/dpc-to-impose-preliminary-range-of-fines-on-tiktok-over-childrens- data/> accessed 14 December 2022.
36 Irish DPC Sends Draft TikTok Children’s Privacy Decision to EDPB’ <https://iapp.org/news/a/irish-dpc-sends-draft-tiktok- childrens-privacy-decision-to-edpb/> accessed 16 December 2022.
37 Deegan (n35).
38 ‘Dutch Watchdog to Investigate TikTok’s Use of Children’s Data’ Reuters (8 May 2020) <https://www.reuters.com/article/us-netherlands-dataprivacy-tiktok-idUSKBN22K1UE> accessed 14 December 2022.
40 Ron Lyons Jr, ‘How to Change Your Age on TikTok If It Was Entered Incorrectly’ (Business Insider) <https://www.businessinsider.com/guides/tech/how-to-change-your-age-on-tiktok> accessed 15 December 2022.
41 Roth (n1), p. 42.
42 Roth (n1), p. 41.
43 Richard Waters, ‘Crunch Time for TikTok in the US’ Financial Times (15 December 2022) <https://www.ft.com/content/340e56e4-9db0-4399-b691-41f52decc71e> accessed 15 December 2022.