TikTok is failing in its obligation to protect children who use its service and likely collects and distributes the personal data of minors to unknown third parties, some of them in China, in violation of the General Data Protection Regulation (GDPR).
That is according to Amsterdam-based Foundation for Market Information Research (Stichting Onderzoek Marktinformatie, or SOMI), a non-profit organisation that advocates for data privacy and consumer issues in the Netherlands and around Europe.
SOMI is urging concerned parents from anywhere in the world to contact it via its website and register for a small fee as it gathers information ahead of a possible collective legal claim against the China-owned social media platform.
“Europe has created the GDPR to give consumers control over their personal data and to protect minors in the digital world,” said Cor Wijtvliet, SOMI co-founder. “TikTok consistently violates similar standards in countries outside the EU on several counts.”
“That is a major cause for concern; not only because it happens without the user’s consent or even their knowledge, but especially because the company is known to have committed such offences in the past,” he said. “Children are insufficiently protected against unwanted contacts with unknown adults online. That’s why we decided to make a stand.
“The first step is thorough research. Only then can we build a potentially successful claim. To this end, we are now collecting user data and research reports. However, the purpose of our public action is not so much to obtain monetary compensation; that is just the cherry on the cake. Our primary objective is to make sure that children are well protected online and that individual consumers are not powerless against the producers of popular apps. Together, we are stronger and the claim is more powerful.”
SOMI’s principle complaint is that TikTok was warned last year that children are not being adequately protected against online contact with adults who are not known to them, and that parental supervision of the service may be “wholly insufficient”.
It said that TikTok allows the creation of user accounts by minors from the age of 13 and up, which for one thing is easily circumvented by under-13s, and that because 13 is below the age of majority in Europe it therefore requires permission from a guardian to process the data; that TikTok processes more sensitive data such as device information, location and user activity, even when inactive; that TikTok lacks transparency around information, communication and rules for subjects to exercise their data rights, and around what data it lets third parties access, and how and what they do with it; and that TikTok’s design and default settings fail to guarantee data protection under GDPR.
SOMI also believes TikTok has not taken appropriate technical and organisational measures to ensure its app is secure in accordance with GDPR, and that it is likely transferring data outside the EU – it cited a June 2020 research paper produced by security firm Penetrum which claims that nearly 40% of IP addresses used by TikTok are from China and can be linked to Alibaba, again a breach of GDPR as China is not considered a safe third country under the regulation.
A TikTok spokesperson told Computer Weekly: “A TikTok spokesperson said: “Protecting our users’ privacy is a top priority and we strongly reject any claims to the contrary. TikTok is an app for people aged 13 and over and our Terms of Services and privacy policy clearly set out our approach and commitment to safeguarding our users’ data.
“For users under the age of 18, we have also developed a separate summary of the privacy policy written in a style designed to make it as easy as possible for our teenage users to understand.,” the spokesperson said.
“We take compliance with applicable laws and regulations on data protection, including the GDPR, very seriously. Our user data is currently stored in the US and Singapore, and we have also announced our intention to establish a European datacentre in Ireland. TikTok is not available in China, and we have never provided data to the Chinese government, nor would we do so if asked.”