TikTok is under investigation by The Irish Data Protection Commission (DPC) – its lead regulator in the EU – over two privacy-related issues.
The watchdog is investigating its processing of children’s personal data, as well as whether TikTok is in compliance with EU laws regarding the transfer of personal data to other countries, such as China.
TikTok stated that privacy was “our top priority.”
The Irish DPC stated that it was specifically investigating GDPR-related issues.
These are the EU privacy laws, which can result in massive fines of up to 4% of a company’s global turnover.
It stated that the first investigation would look into “the processing of personal data… for users under the age of 18, as well as age verification measures for persons under the age of 13.” It will also investigate TikTok’s transparency regarding how it processes such data.
It is not the first time the Irish DPC has investigated such matters. In October 2020, it announced it was looking into Instagram’s handling of children’s personal data.
And Tiktok has already faced a similar collective legal action in the UK, spearheaded by a former children’s commissioner.
The second investigation announced this week is a more uniquely TikTok problem.
The issue revolves around “TikTok transfers of personal data to China,” according to the DPC. TikTok is owned by the Chinese company ByteDance, and the company has been repeatedly accused of sharing data with Chinese companies – or even the Chinese government, which it categorically denies.
During Donald Trump’s presidency, it was nearly banned in the US – although that order has since been dropped.
The DPC’s investigation is more focused on whether TikTok is following EU rules regarding data transfers to so-called “third countries,” or places where the EU has not given its seal of approval over their privacy laws.
TikTok has already made a number of system changes in response to both allegations.
In January, it made all under-16s’ accounts private by default, as part of a bid to improve child safety on the platform.
It followed that up in July by deleting millions of accounts which it said belonged to under-13s, who are not supposed to be allowed on the platform at all.
And in August, it announced it would no longer send push notifications to children’s accounts during certain times of the day, saying it was designed to help children study, relax, and sleep.
TikTok stated in a statement: “We’ve put in place extensive policies and controls to protect user data, and we rely on approved methods for transferring data from Europe, such as standard contractual clauses. We intend to cooperate fully with the DPC.”
Because the European headquarters of companies such as TikTok, Facebook, and Google are all based in Ireland, the Irish data commissioner takes the lead in regulating many of the world’s largest tech firms.
However, it has been accused by some of having a lax approach to enforcement.
For example, it recently handed WhatsApp the second-largest GDPR fine on record, of €225m (£193m).
It initially proposed a much smaller fine of €30m-50m, but was met with opposition from data watchdogs in several other EU countries. The dispute was eventually brought before a formal EU board, which ordered the Irish DPC to change its finding and levy a larger fine.
Max Schrems, a well-known privacy advocate and long-time critic of the Irish regulator, stated at the time that the incident “demonstrates how the DPC is still extremely dysfunctional.”