‘TIKTOK AND THE DATA PROTECTION OF CHILDREN: Where do we stand right now?’

I. Introduction

Swipe, swipe, swipe, and swipe. This is probably what everybody knows the Chinese TikTok application (hereinafter: TikTok) for. TikTok provides us an endless amount of video content, which is very addictive for its users. As the TikTok community has grown rapidly, it is interesting to wonder how TikTok is improving its privacy- and data protection practice.1 Especially, since TikTok has many users, who are under eighteen. Research showed that in 2020 already 18 million users of TikTok were under the age of fourteen.2 Because of this, TikTok has made the news several times due to its lacking policies concerning privacy- and data protection, especially when it comes to minors. Therefore, this paper will outline the following research question: ‘Since TikTok faced several enforcement cases, to what extent is TikTok improving its privacy- and data protection practice to minors, when taking the GDPR into consideration?’ This is important since children are very vulnerable while engaging online.3 Children do not look the same to the value of their privacy as adults. When processing children’s data is not being done carefully, children can become an easy victim of exploitive data collecting methods.4 This essay has the following structure: to begin with, it will outline the General Data Protection Regulation 206/679 (hereinafter: GDPR) and how that is important considering TikTok. After that, it will point out several cases against TikTok. Then, this essay will investigate the improvements TikTok might or might not made. Finally, there will be a conclusion followed by a recommendation.

II. The GDPR

The European Union (hereinafter: EU) expended its data- collecting and processing protection policies, by introducing the GDPR in 2018.5 The GDPR is the European legal framework for data protection of natural persons, as Article 1 of the GDPR explains.6 Whether the GDPR is applicable, needs to be determined throughout Article- 2 and 3 of the GDPR. Article 2 covers the material scope, Article 3 the territorial scope of the GDPR. Especially Article 3(1) deserves being mentioned, since this article clarifies that the GDPR covers data protection against organizations that process data inside and outside the EU.7 TikTok did not have an European headquarter until July 29, 2022, but can still be held liable for neglecting the GDPR, before they were situated in the EU.8 This follows out of Recital 22 of the GDPR, which explains that it is important that any form of data processing, of EU citizens, even though the processing takes place outside the EU, falls within the scope of the GDPR.9 Further, Article 4 is important, because it runs over the purpose of the GDPR, namely cases conducting ‘personal data being processed’.10 Article 4(1) defines ‘personal data’ as: any information relating to an identified or identifiable natural person. Article 4(2) explains that ‘processing’ means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’ If Article 2(1), Article 3(1), Article 4(1), and Article 4(2) are being reviewed, it can be concluded that TikTok can be held liable for neglecting the GDPR when collecting and processing personal data of EU citizens.11 Therefore, TikTok has been, or is, facing several claims due to actions or policies not aligning with the GDPR.

III. Relevant enforcement cases

To begin with, the Dutch Data Protection Agency, (hereinafter: AP), fined TikTok for an amount of 750.000 euros, because TikTok lacked in protecting the privacy of its users.12 In the Netherlands, around 3,5 million people are users of TikTok.13 In 2020 around 1,26 million users were between thirteen and seventeen years old.14 The main issue the AP noticed, was that TikTok failed to provide a Dutch version of its privacy policy, which is a violation of Article 12(1) GDPR. This Article states that communications to the data subject concerning data processing and collecting should be ‘concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.’15 It was not clear for users what was happening to their data, especially for children, to which the English version of the privacy policy was impossibly completely understandable.16 However, TikTok mentioned that the Netherlands has always been highly ranked in the Education First English Proficiency Index since 2011. Therefore, TikTok believed that the users, children as well, were competent enough to understand the privacy policies.17 The AP did acknowledge that most Dutch people, and thus children, are proficient in English, but that does not mean that Dutch people do not hold the right to be provided with the privacy policy in their native language.18 Next, TikTok is facing a 27 million pounds fine, because it failed to protect the privacy of children.19 The Information Commissioner’s Office (Hereinafter: ICO) investigated TikTok concerning processing data of children who are under the age of thirteen. Besides that, TikTok seemed to fail with providing policies to its users in a ‘concise, transparent and easily understood way.' 20 Investigating TikTok showed that TikTok might have failed to respect to only process data of children, who do not have the age of sixteen, when their legal guardians gave their consent to whether the data of their children can be processed or not.21 The ICO mentioned that these data might be ‘special category data’, which conducts ‘ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data’ for which TikTok needed permission in order to process these data.22 However, the United Kingdom is no longer member of the EU, so the GDPR is not applicable in this situation.23 Further, the Italian Data Protection Authority (hereinafter: Italian DPA) filed several cases against TikTok as well, because TikTok lacked paying attention to protecting children.24 In January 2021, the Italian DPA even imposed that the processing of data of ‘users whose age could not be established’ was limited immediately.25 The cause for this measurement was the death of a ten year old girl and was based on Article 58(2)(f) GDPR, which provides the legal basis to impose a temporary or definitive limitation or ban on processing.26 The Italian DPA ordered TikTok to block its users, whose age was not verifiable. This resulted in over 500.000 TikTok accounts in Italy being removed.27 The Italian DPA had already been concerned regarding TikTok and the way it verifies the age of its users, because this could be circumvented easily.28 Besides that, TikTok was brought under the attention of the Italian DPA, because it silently changed its terms and conditions for users in the EU. TikTok wanted to change its policy by stopping to ask for its users consent to be tracked for personalized ads, based on the trust that they would have the consent and therefore would not be needing to ask for permission.29 This was concerning to the Italian DPA because: ‘The difficulties currently encountered by TikTok in order to establish compliance with the age requirements to access the platform do not allow ruling out the risk that ‘personalized’ ads including unsuitable contents will be served to very young users based on the company’s legitimate interest.’30 In this case TikTok has only been facing a final warning, but additional measures can be taken later on.31 Summarized, the Italian DPA considered TikTok not being protective enough over children and their data and privacy, because it continued: I. using signup mechanisms which do not protect minors properly, II. unfriendly privacy default settings, III. inadequate transparency in user information and IV. circumventable age verifications.32 Finally, the French DPA (hereinafter: CNIL) also started an investigation into TikTok’s practices. CNIL claimed that TikTok was not transparent considering the data access rights of its users, but also transferred the data of its users outside the EU. Finally, CNIL accused TikTok of not protecting users under eighteen in an adequate way.33

III. Are there improvements considering TikTok’s data-protection and processing practice noticeable?

As mentioned above, TikTok and its privacy- and data processing practices are being watched closely, especially when this relates to children. Numerous claims have been made against the company, since the GDPR has been implemented back in 2018. Do I notice any improvements on TikTok its privacy- and data processing practices? Since TikTok faced several claims due to violating GDPR rights, it seems logic that TikTok would be more careful, or at least more transparent. But two months ago, the Irish Data Protection Commission (Hereinafter: DPC) announced that it will indicate several fines, because they had a big investigation on how TikTok is processing children’s data.34 The investigation was mostly about children’s data processing and age verification.35 The draft decision mentions that the decision on the preliminary fines is being considered under Article 60 GDPR by other data protection regulators in the EU.36 However the DPC has not mentioned any amount yet.37 Even though, there are still ongoing investigations when it comes to TikTok its data- processing and protection practices, it seems like TikTok is willing to improve things, based on the claims that have been made. For example, TikTok blocked the live chat and video streaming function for children who have not reached the age of sixteen. Besides this, TikTok extended parental control when it comes to inappropriate content.38 Furthermore, TikTok seems to take Article 12(1) more into account, since it for example started to provide privacy policies in Dutch, instead of in English, for users in the Netherlands.39 TikTok also made all the accounts private of users who are under the age of sixteen and removed the option to change your age by yourself, the only way people are able to do so, is by contacting customer care. If this option would be chosen, additional information to confirm your age and identity needs to be provided.40 Besides this, TikTok changed its default settings for minors, based on the assaults the Italian DPA investigation resulted in.41 Even though, TikTok seems to have made several improvements when it comes to privacy- and data protection of minors, there is still a lack of transparency and protection.42 After investigating the app, I did not notice a proper age verification system, or a system that checks whether guardians gave their consent for using the app. A legal basis for processing children their data seems to be missing as well. So, however TikTok appears to be improving, there is still work to be done.

IV . Conclusion

If the GDPR is considered, when it comes to TikTok its data- protection and processing practices, especially to minors, several breaches can be noticed. The Dutch DPA, as well as British authorities, The Italian DPA and the French ‘watchdog’ imposed fines, or are investigating TikTok, because of its data- protection and processing practices. Even the Irish DPA announced that they might fine TikTok. Even though TikTok has made several improvements, such as providing its policies in native languages, accounts of children under sixteen are private, the option to change your age manually is being removed and the default settings for minors have been changed. However, there is still a lot of room for improvement. Stating that TikTok is already there considering its privacy- and data protection practices relating to minors, would be a bridge to far for me. Huge steps can be made, starting with providing more transparency on how data of children is being processed and protected, but also how their privacy can be genuinely guaranteed. In the United States TikTok is already facing a total ban.43 So, for the online platform to remain the rising star in social media, I would suggest that they keep investing in a safe environment for minors considering their data and privacy, but in general a transparent and well protected application for children. Starting with a proper age verification and consent mechanism, as well as a legitimate legal ground for processing children’s data.

Sources

1 Samuel M Roth, ‘Data Snatchers: Analyzing TikTok’s Collection of Children’s Data and Its Compliance with Modern Data Privacy Regulations’ (2021) 22 Journal of High Technology Law 1, p3.
2 Paige Leskin, ‘TikTok Reportedly Has 18 Million Users Who Are 14 or Younger, Renewing Concerns for Children’s Safety’ (Business Insider) <https://www.businessinsider.com/tiktok-children-users-data-privacy-safety-concerns-coppa-ftc-report- 2020-8> accessed 14 December 2022.

3 Roth (n1), p. 34.
4 Roth (n1), p. 35.
5 Roth (n1), p. 7.
6 ‘Art. 1 GDPR – Subject-Matter and Objectives’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-1- gdpr/> accessed 14 December 2022.

7 Art. 3 GDPR – Territorial Scope’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-3-gdpr/> accessed 14 December 2022.
8 Charles Tan and Katie Ta, ‘GDPR Case Study: Dutch DPA Fines TikTok Over Privacy Policy’, p. 1.
9 ‘Recital 22 - Processing by an Establishment’ (General Data Protection Regulation (GDPR)) <https://gdpr- info.eu/recitals/no-22/> accessed 14 December 2022.

10 ‘Art. 4 GDPR – Definitions’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-4-gdpr/> accessed 14 December 2022.
11 Tan and Ta (n 11), p. 3.
12Autoriteit Persoons Gegevens, ‘Decision to impose a fine on Tiktok’ <https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/decision_to_impose_a_fine_on_tiktok.pdf> accessed 14 December 2022, p. 3.

13‘Dutch DPA: TikTok Fined for Violating Children’s Privacy | European Data Protection Board’ <https://edpb.europa.eu/news/national-news/2021/dutch-dpa-tiktok-fined-violating-childrens-privacy_en> accessed 16 December 2022.
14 Ibid.
15 ‘Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject’ <https://www.gdpr.org/regulation/article-12.html> accessed 14 December 2022.
16 Tan and Ta (n 11), p. 1.
17 Tan and Ta (n 11), p. 2.
18 Tan and Ta (n 11), p. 2.
19 Mark Sweney, ‘TikTok Could Face £27m Fine for Failing to Protect Children’s Privacy’ The Guardian (26 September 2022) <https://www.theguardian.com/technology/2022/sep/26/tiktok-fine-protect-children-privacy-uk-data-protection> accessed 14 December 2022.

20 Emma Woollacott, ‘TikTok Warned Of Possible $29 Million Fine For Processing Children’s Data’ (Forbes) <https://www.forbes.com/sites/emmawoollacott/2022/09/27/tiktok-warned-of-possible-29m-fine-for-processing- childrens-data/> accessed 14 December 2022.
21 ‘Art. 8 GDPR – Conditions Applicable to Child’s Consent in Relation to Information Society Services’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/art-8-gdpr/> accessed 14 December 2022.

22 Sweney (n 20).
23 Eva Lievens, ‘Dutch DPA Fines TikTok for Not Offering Understandable Information to Children’ (2021) 7 European Data Protection Law Review (EDPL), p. 427.
24 Roth (n 1), p. 34.
25 Lievens (n 24), p. 426.
26 Lievens (n 24), p. 426.
27 ‘TikTok Has until Friday to Respond to Italy’s Order to Block Users It Can’t Age-Verify after Girl’s Death | TechCrunch’ <https://techcrunch.com/2021/01/25/tiktok-has-until-friday-to-respond-to-italys-order-to-block-users-it-cant-age-verify- after-girls-death/> accessed 14 December 2022.
28 ‘Tik Tok, a rischio la privacy dei minori: il Garante avvia il procedimento contro il social network’ <https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9508923> accessed 14 December 2022. 29 Natasha Lomas, ‘Italy Warns TikTok over Privacy Policy Switch’ (TechCrunch, 11 July 2022) <https://techcrunch.com/2022/07/11/tiktok-privacy-switch-warning-italy/> accessed 14 December 2022.
30 ibid.
31 ibid.
32 Roth (n1), p. 34.

33 Roth (n1), p. 32.
34 Gordon Deegan, ‘DPC to Impose “Preliminary Range of Fines” on TikTok over Children’s Data’ (The Irish Times) <https://www.irishtimes.com/business/2022/11/24/dpc-to-impose-preliminary-range-of-fines-on-tiktok-over-childrens- data/> accessed 14 December 2022.
35 ibid.
36 Irish DPC Sends Draft TikTok Children’s Privacy Decision to EDPB’ <https://iapp.org/news/a/irish-dpc-sends-draft-tiktok- childrens-privacy-decision-to-edpb/> accessed 16 December 2022.
37 Deegan (n35).
38 ‘Dutch Watchdog to Investigate TikTok’s Use of Children’s Data’ Reuters (8 May 2020) <https://www.reuters.com/article/us-netherlands-dataprivacy-tiktok-idUSKBN22K1UE> accessed 14 December 2022.
39 ‘New Privacy Policy | TikTok’ <https://www.tiktok.com/legal/page/eea/new-privacy-policy/NL> accessed 15 December 2022.
40 Ron Lyons Jr, ‘How to Change Your Age on TikTok If It Was Entered Incorrectly’ (Business Insider) <https://www.businessinsider.com/guides/tech/how-to-change-your-age-on-tiktok> accessed 15 December 2022.
41 Roth (n1), p. 42.
42 Roth (n1), p. 41.

43 Richard Waters, ‘Crunch Time for TikTok in the US’ Financial Times (15 December 2022) <https://www.ft.com/content/340e56e4-9db0-4399-b691-41f52decc71e> accessed 15 December 2022.