TikTok is under investigation by The Irish Data Protection Commission (DPC) – its lead regulator in the EU – over two privacy-related issues.
The watchdog is looking into its processing of children’s personal data, and whether TikTok is in line with EU laws about transferring personal data to other countries, such as China.
TikTok said privacy was “our highest priority”.
The Irish DPC said it was specifically looking into GDPR-related issues.
These are the EU privacy laws which can potentially lead to enormous fines of up to 4% of a company’s global turnover.
It said the first inquiry would examine “the processing of personal data… for users under age 18, and age verification measures for persons under 13”. It will also look into how transparent TikTok has been about how it processes such data.
It is not the first time the Irish DPC has investigated such matters. In October 2020, it announced it was looking into Instagram’s handling of children’s personal data.
And Tiktok has already faced a similar collective legal action in the UK, spearheaded by a former children’s commissioner.
The second investigation announced this week is a more uniquely TikTok problem.
It is around “transfers by TikTok of personal data to China”, the DPC said. TikTok is owned by Chinese company ByteDance, and has repeatedly faced accusations that it shares data with Chinese companies – or even the Chinese government, something the firm strenuously denies.
During Donald Trump’s presidency, it was nearly banned in the US – although that order has since been dropped.
The DPC’s investigation is more tightly concerned with whether TikTok is obeying EU rules on transfers of data to so-called “third countries” – places to which the EU has not given a seal of approval over their privacy laws.
TikTok has already made a series of changes to its systems to fend off both allegations.
In January, it made all under-16s’ accounts private by default, as part of a bid to improve child safety on the platform.
It followed that up in July by deleting millions of accounts which it said belonged to under-13s, who are not supposed to be allowed on the platform at all.
And in August, it announced it would no longer send push notifications to children’s accounts during certain times of the day, saying it was designed to help children study, relax, and sleep.
In a statement, TikTok said: “We’ve implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clauses. We intend to fully co-operate with the DPC.”
The Irish data commissioner takes a lead role in regulating many of the world’s largest tech firms, as the European headquarters of companies such as TikTok, Facebook, and Google are all based in Ireland.
However, it has been accused by some of having a lax approach to enforcement.
For example, it recently handed WhatsApp the second-largest GDPR fine on record, of €225m (£193m).
It initially recommended a much smaller fine of €30m-50m, but faced objections from the data watchdogs of several other EU states. The disagreement eventually went before a formal EU board, which told the Irish DPC to change its finding and issue a higher fine.
Max Schrems, a well-known privacy advocate and established critic of the Irish regulator, said at the time that incident “shows how the DPC is still extremely dysfunctional”.