The Chinese app TikTok is finally being tackled

The Foundation for Market Information Research (SOMI) calls on parents worldwide to report to the foundation when their children have used TikTok, the popular social media app of Chinese origin in which short music videos can be recorded and shared. TikTok falls short of protecting children using the app. This is the view of SOMI, which is conducting further research into TikTok's practices and business model. The Dutch Data Protection Authority (AP) is also conducting an investigation into TikTok and the AP expects to be able to publish the first results of the investigation later this year. The app is likely to collect and disseminate unauthorized personal data from users, especially minors. In doing so, TikTok is believed to be in violation of the European GDPR regulations. As a follow-up to the investigation, SOMI can combat violations on behalf of concerned parents and enforce improved supervision. The independent European Data Protection Board has also announced that it will set up a task force to investigate data processing by TikTok. The American company Penetrum has already completed an investigation into TikTok and has come to the conclusion that the app involves data collection and tracking, which includes sending digital profiles and user information to China.

This article was published on 28th July 2020 on Riskcompliance.nl in the Netherlands. Please find the English translation below.

Every day, millions of children and young people around the world share countless creative videos via the social media app TikTok. Some videos reach millions of people worldwide through this app. For many, during this corona crisis, it is the way to keep in touch with friends and pass the time together. In law and in the General Data Protection Regulation (GDPR), children are considered to be an extra vulnerable group because they are less aware of the consequences of their actions, especially when their personal data is processed by social media.

Monique Verdier, vice-chairman of the AP, says the following about this: “We see that a great number of Dutch children enjoy using TikTok. We are investigating whether this app is designed and furnished in a privacy-friendly manner. In addition, we check whether the information that children receive from TikTok when installing and using the app can be properly understood and whether there is sufficient explanation about how TikTok collects, processes and further uses their personal data. Finally, we are investigating whether parental consent is required when TikTok collects, stores and further uses personal data from children. ”

Cor Wijtvliet, one of the founders of SOMI, says the following: “Europe has created the GDPR so that consumers remain the owners of their personal data and minors are also protected digitally. TikTok continuously violates such standards in countries outside the EU on several points. That is distressing, not only because this happens without permission and even without the user's knowledge, but mainly because the company has already gone wrong with this several times. Children are insufficiently protected online against unwanted contacts with unknown adults. That's why we decided to make a case. ”

Violations of the GDPR

The general GDPR legislation in the Netherlands has been legally incorporated into the AVG and the Dutch Data Protection Authority, in short AP, has been established as a supervisory authority. According to SOMI, the main objection is that TikTok was already warned in 2019 that children are insufficiently protected from contacts with unknown adults and that supervision of this may still be completely inadequate at the moment. With regard to the applicable GDPR regulations, the objections are more specific, as follows:

Article 8 GDPR - unlawful processing of personal data of minors
The processing of personal data of minors requires permission from a guardian. In the Netherlands this applies to children up to the age of 16. TikTok allows users to create an account from the age of 13. This 'security' can be circumvented too easily.

Article 9 GDPR - unlawful processing of sensitive personal data
TikTok processes sensitive personal data, such as the information about the device on which the app is used, the location data of the device and the user activity. Even when the app is off. In addition, TikTok's app has been found to install 'browser trackers' that track user activity on the Internet.

Article 12 GDPR - Transparent information, communication and further rules for exercising the rights of the data subject
It is unclear which data from users TikTok transmits to third parties (such as Facebook and analysis platform Appsflyer), which third parties these are, how those third parties interact with handle the data and what they use that data for. TikTok tracks user behavior online, but offers no option to delete this data.

Article 25 GDPR - Data protection by design and by default settings
The design and default settings of TikTok do not guarantee the data protection purposes referred to in Article 25 of the GDPR. TikTok has not taken appropriate technical and organizational measures to ensure that only those personal data are processed that are necessary for each specific purpose of the processing. On the contrary, the design and settings of the app are specifically designed to collect as much data as possible.

Article 32 GDPR - Security of processing
In accordance with Article 32, the controller and processor take “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. TikTok's security does not appear to be in line with Article 32 GDPR.

Recent research has revealed several vulnerabilities in the app, including:
1. Webviews: remote webviews that are enabled by default and can therefore be used by external parties to gain access;
2. The app appears to take text as commands and process them directly in Java;
3. The application that uses Java reflection and shortens the VM loading time can be exploited by malicious users and has a CVE score of 8.8 (corresponding to a 'high' risk);
4. Other unexplained faults in the use of the app and the display of information by the app.

Articles 45-49 GDPR - Transfer of data outside the EU
The above-mentioned study indicates that 37.7 percent of the IP addresses that TikTok uses come from China and can be linked to Hangzhou-based Alibaba. China is considered a non-safe third country within the GDPR regulations. In order to process personal data of EU citizens outside the European Economic Area on this scale, TikTok requires a special authorization.

Collective claim

SOMI calls on all concerned parents worldwide to report to the foundation when their children have used TikTok. By completing and signing the online participation form on Tiktokclaim.org, the consumer gives permission for SOMI to investigate the violations on the basis of the users' personal data. In this way, sufficient material can be collected for a possible collective claim against the company. The participation form offers the consumer the opportunity to immediately transfer his or her claim for collection without having to take legal action. A one-off contribution of € 17.50 is charged for registration, after which the consumer can also participate in the other actions of the foundation.

Cor Wijtvliet concludes with “A first step is thorough research. Only then can we build a potentially successful claim. We are now collecting the user data and research reports for this. Incidentally, the purpose of the claim is not to obtain compensation, that is by-catch. For us, it's about protecting children and ensuring that individual consumers are not powerless against the producers of popular apps. Together we are stronger and the claim is stronger. ”

The Foundation for Market Information Research (SOMI) is a non-profit organization set up to identify and influence issues of social importance. SOMI focuses on the functioning of markets in the field of privacy, the elderly, housing and care. For example, in 2016 and 2017, the foundation conducted legal and econometric research into cartels by large banks in the Dutch mortgage market. The unique thing about this promotion was that the participants are also invited to participate as knowledge workers (crowdresourcing). The research has resulted in an online calculator, which provides insight into the consequences of cartel formation for individual home owners.

Click here for the original article on Riskcompliance.nl (in Dutch)