Published by TECHCRUNCH.COM
Summary generated on August 11, 2020
A spokeswoman for France's CNIL told us it opened an investigation into how the app handles user data in May 2020, following a complaint related to a request to delete a video.
Under the European Union's data protection framework, citizens who have given consent for their data to be processed continue to hold a range of rights attached to their personal data, including the ability to request a copy or deletion of the information, or ask for their data in a portable form.
Which means data controllers must provide data subjects with clear information on the purposes of processing - including in order to obtain legally valid consent to process the data.
The CNIL's spokeswoman told us its complaint-triggered investigation into TikTok has since widened to include issues related to transparency requirements about how it processes user data; users' data access rights; transfers of user data outside the EU; and steps the platform takes to ensure the data of minors is adequately protected - a key issue, given the app's popularity with teens.
French data protection law lets children consent to the processing of their data for information social services such as TikTok at aged 15.
In further emailed remarks its spokeswoman noted the company is seeking to designate Ireland's Data Protection Commission as its lead authority in Europe - and is setting up an establishment in Ireland for that purpose.
If TikTok is able to satisfy the legal conditions it may be able to move any GDPR investigation to the DPC - which has gained a reputation for being painstakingly slow to enforce complex cross-border GDPR cases.
Though in late May it finally submitted a first draft decision to the other EU data watchdogs for review.
"The [TikTok] investigations could therefore ultimately be the sole responsibility of the Irish protection authority, which will have to deal with the case in cooperation with the other European data protection authorities," the CNIL's spokeswoman noted, before emphasizing there is a standard of proof it will have to meet.
Under Europe's GDPR framework, national data watchdogs have powers to issue penalties of up to 4% of a company's global annual turnover and can also order infringing data processing to cease.