French Data Authority Investigating TikTok Data Management

France’s CNIL announced that it has initiated an investigation into data management practices of the social media platform TikTok.

A spokeswoman for France’s CNIL revealed that it begun examining how the social media app manages user data in May 2020 in response to a complaint that was submitted in relation to a video deletion request. As per the General Data Protection Regulation (GDPR) that was introduced on May 25 2018 by the European Union’s data protection framework, EU citizens who have provided consent for their data to be managed are allocated a number of rights including that to have their a copy of their private data.

The CNIL  spokeswoman stated that, since it began, the investigation into TikTok has since been expanded to include issues linked with transparency requirements about how it processes user data; users’ data access rights. transfers of user data outside the EU and steps the platform takes to see to it that the data of minors is adequately secured, given the app’s popularity with teens.  French data protection legislation states that children may consent to the processing of their data for information social services such as TikTok at aged 15, or younger if parental consent is provided.

However, as TikTok is attempting to designate Ireland’s Data Protection Commission (DPC) as its lead authority in Europe, while creating a presence in Ireland to manage private data for EU-based user, the validity of the investigation of the French data protection agency may come into question. Should TikTok move the GDPR investigation to the Irish Data Protection Commission, a body renowned as being more lenient when it comes to the enforcement of GDPR, it may be able to avoid any potential GDPR penalty.

Under Europe’s GDPR framework, national data watchdogs have powers to issue penalties of up to 4% of a company’s global annual turnover and can also order infringing data processing to cease. But to do any of that they have to first investigate and go through the process of issuing a decision. In cross-border cases where multiple watchdogs have an interest, there’s also a requirement to liaise with other regulators to ensure there’s broad consensus on any decision.

The CNIL’s spokeswoman stressed that there is a standard of proof that must be met by TikTok. She said: “The [TikTok] investigations could therefore ultimately be the sole responsibility of the Irish protection authority, which will have to deal with the case in cooperation with the other European data protection authorities. To come under the sole jurisdiction of the Irish authority and not of each of the authorities, Tiktok will nevertheless have to prove that its establishment in Ireland fulfils the conditions of a ‘principal establishment’ within the meaning of the GDPR.”

A TikTok spokesperson said: “TikTok’s top priority is protecting our users’ privacy and safety. We are aware of CNIL’s investigation and are fully cooperating with them.”