8 April 2021 | By Marten Männis
TikTok: Dutch nonprofit alleges serious infringements of GDPR
On 7 April 2021, the Stichting Onderzoek Marktinformatie (SOMI) (translated as the Foundation for Market Information Research) submitted a complaint to the Irish Data Protection Commission in Dublin concerning the social media platform TikTok, alleging several severe violations of the General Data Protection Regulation. The application comes in light of the latest viral “challenges” on the platform, that have led to the deaths of several children.
SOMI is a Dutch-based non-profit organisation advocating for privacy rights and against the misuse of personal data and violations of GDPR. In their complaint to the Irish regulator, SOMI is said to represent the digital rights and interests of 60,000 European citizens. Per their mission, SOMI organises campaigns, collecting signatures and asking people to provide evidence supporting their claim. Once a certain threshold is reached, the claim is petitioned. In favourable rulings, the non-profit distributes compensation amongst registered participants.
In their complaint, SOMI brings out several major infringements against the platform: the use and the lack of any appropriate safeguards for minors; the unlawful processing of personal data; the platform having no adequate technical and organisational measures to protect personal data; and the unlawful sharing of personal data.
The alleged lack of safeguards for minors is tied to the exponential rise in the usage of TikTok amongst minors in Europe. Whereas in February 2020, the number of users in the Netherlands hovered around 1 million, of which 830,000 were between the ages of 6 to 18, the user base has risen to around 1.7 million Dutch people in a year. The latest numbers estimate that approximately 700,000 of these Dutch users are between the ages of 6 to 14. Daily usage has also skyrocketed, with individuals spending increasingly more time on the platform. Due to the concerns about the data processing of minors at such a scale, the Dutch Data Protection Authority launched an investigation in May 2020.
SOMI alleges infringements under Article 8 of the GDPR and Article 5 of the Uitvoeringswet AVG (the General Data Protection Regulation Implementation Act in the Netherlands), which concern the data processing of minors. The articles require data controllers to obtain parental authorisation for the processing of personal data of individuals younger than sixteen. SOMI alleges that the current procedure of TikTok for age verification is not compliant with these requirements and thus is in violation with the GDPR and subsequent legislation.
SOMI also brings out the numerous dangerous “challenges” that have went viral on the platform. The recent “Blackout challenge”, that amongst other deaths, saw the death of a 10-year-old girl in Italy, prompted the Italian authorities and TikTok to restrict access to the platform for all users who gave their age as under 13. Other notable “challenges” include the “Skull-breaker challenge” from 2020, whereby people kick the legs from underneath a person in air, which led to multiple severe injuries across the globe and the “Benadryl challenge”, where individuals intentionally overdose on the antihistamine, which can be deadly. SOMI argues that though these practices are forbidden under the platform’s guidelines, TikTok is either unable or unwilling to address these issues in a sufficient manner.
Furthermore, SOMI brings out other concrete examples of harm, including the platform’s inadequacy in addressing predatory behaviour towards children, and more abstract forms of potential harm, such as the effect the platform has on mental health and the potential exclusion of certain political views and the LGBTQ community, amongst other vulnerable groups.
The second infringement SOMI alleges concerns the unlawful processing of personal data, which concerns general privacy violations. The platform has not taken any appropriate measures to ensure the strict collection of data, with SOMI alleging that the design, architecture and the default settings of the app are in breach of the general principles of the GDPR underlined in Article 5. Furthermore, the platform does also not take into account Article 25 of the GDPR, whereby data controllers should implement appropriate technical an organisational measures…, which are designed to implement data protection principles, such as data minimisation. SOMI also highlights that the platform does not provide for neither an opt-in possibility nor an opt-out choice.
Other security risks found by the analysis include pervasive data collection, including information such as IMEI numbers, enabling remote webview by default, giving users access to raw SQL commands, and hard coding API tokens into its code in plaintext. Furthermore, certain procedures utilised in the app code, such as the frequency in which webview and Java reflection are used, or the insecure use of SSL/TLS, even ignoring SSL/TLS errors altogether, can lead to a very high security risk.
The data-sharing practices of the platform have also been under increased scrutiny in recent years. In late 2019, a German publication concluded that usage time, videos viewed, subscribed channels, search queries and more is forwarded to other companies such as Facebook. SOMI alleges that in later updates, TikTok has made it even harder to follow what data is shared with which third parties.
This is not the first investigation into TikTok’s data processing and practices in the EU. During the 31st Plenary session of the European Data Protection Board in June 2020, the Board decided to establish a taskforce in order to both co-ordinate potential actions and to get a better overview of TikTok’s practices. Furthermore, the platform has faced similar allegations in the US in recent years, specifically the processing of the data of minors. Last year, TikTok classified more than a third of its then 49 million daily users as being 14 years old or younger.