Social media platforms’ data protection practices are coming under increasing scrutiny, and this time it’s TikTok’s turn in the spotlight. The popular app is used by teenagers and young adults in more than 150 countries, but recent developments in the Netherlands raise issues of consumer rights and data protection.

This blog will use those examples to look at issues of processing data without transparency, and apps’ use of user profiling for microtargeting and marketing. What is the legal basis for such processing under the General Data Protection Regulation (GDPR), and what does this mean going forward?

Any mobile app that collects or processes the data of EU citizens falls under the jurisdiction of the GDPR.  The data protection requirements for mobile apps include:

  • Explicit consent from mobile app users before collecting their personal information
  • Data protection by design and by default
  • User access to data.

This applies both to companies based within the EU and those that process and transfer data from the EU but are located outside it.

The Netherlands vs Tiktok

TikTok’s maker ByteDance has encountered several data protection and privacy issues in the Netherlands. On 2 September 2021, a Dutch foundation, Massaschade & Consument (Mass Damage and Consumer) began a class action suit in the Amsterdam Court on behalf of 4.5 million TikTok members in the Netherlands. Its €6 billion claim for damages makes this the biggest case against TikTok currently being conducted.

The primary issues involve the improper processing of personal data. The foundation’s case against TikTok Inc alleges violations of the fundamental rights of consumers in the Netherlands on a large scale. The group is particularly concerned about the collection of very personal information about consumers which TikTok uses to create profiles, which it shares with advertisers.

The main violations the foundation is putting forward are that TikTok:

  • Collects and processes personal data without a legal basis (under Article 6 of the GDPR there must be a legal basis for processing of personal data)
  • Provides insufficient transparency to its users (pursuant to Articles 13 and 14)
  • Transfers personal data to China and the USA which constitute third countries as neither one has appropriately equivalent GDPR safeguards in place
  • Uses detailed profiles of consumers for advertising purposes and automated decision-making including towards children (in violation of Article 22 of the GDPR which states data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her)
  • Fails to protect users sufficiently against harmful content.

The foundation aims to stand up for the rights of children and young adults and wants TikTok to cease this conduct. The claim per person breaks down as follows: €1,750 (for users aged 6-12); €1,500 (13-17 years); €1,250 (aged 18 and older).

Previous privacy concerns

As of now, TikTok has yet to comment on the proposed claim. But it’s not the first; there have been two other cases taken against TikTok in the Netherlands. The Consumers’ Association previously filed claims against the social network for violating children’s privacy and consumer rights. On 24 June 2021, together with the Take Back Your Privacy Foundation, the association launched a €1.5 billion claim for the alleged unlawful collection and trading of children’s data.

In particular, the Consumers’ Association claimed that TikTok collects and monitors profile information, videos, photos, location data, and in-app activity. This was an issue of infringing upon personal rights due to the nature of data being collected. In August 2021, the Consumers’ Association and Back Your Privacy foundation announced they would take TikTok Inc. to Court to demand TikTok to stop its unlawful acts, delete all illegally collected personal data and pay compensation.

In July 2021, The Dutch Data Protection Authority (DPA) fined TikTok Inc €750,000. The decision outlined that between May 2018 and 28 July 2020, TikTok provided its privacy notice in English and not Dutch to Dutch users, including children. This violates Article 12(1) of the GDPR for failing to provide an adequate and transparent communication of how it collects, processes, and uses personal data. TikTok did however appeal this fine.

The Dutch DPA announced its investigation into TikTok back in May 2020, centred on whether it was appropriately safeguarding children’s data. The DPA outlined that the GDPR treats children as a particularly vulnerable group due to their being less aware of the consequences of their actions, especially when processing their personal data through social media.

Transparency to the forefront

The fines proposed and the ongoing issues and cases being brought to Court in the Netherlands over TikTok bring light to the issues of processing personal data, transparency and being subjected to algorithmic microtargeting advertising via popular social media apps – especially apps used primarily by young adults, teenagers, and children. The issue in the Netherlands may become a broader issue across Europe for both TikTok and its users if the app’s makers don’t make mitigating actions and changes to it. In September, Ireland’s Data Protection Commission confirmed it has launched two separate investigations into TikTok, examining its compliance with GDPR requirements for the processing of children’s personal data.

Following the large fine the DPC imposed against WhatsApp for its noncompliance with GDPR, we are in an era where compliance with data protection and privacy is being taken very seriously. These issues also get broad media coverage.

The fines and claims proposed against WhatsApp and TikTok show, now more than ever, how important it is for organisations to comply with regulations and have effective measures for protecting data. One way to avoid falling foul is to carry out a data protection impact assessment (DPIA) that identifies risks. Another option is to avail of advisory services on social media use.

Cliona Perrick is a data protection analyst with BH Consulting