English Nederlands

Violation of children's privacy when using TikTok


TikTok is the popular social media app of Chinese origin. You can record short music videos with it and share them with the world. However, it falls short of protecting children using the app. This is the view of the Foundation for Market Information Research (SOMI), which is conducting further research into the practices and business model of TikTok. The app is likely to collect and disseminate unauthorized personal data from users, especially minors. In doing so, TikTok is believed to be violating the European GDPR (in the Netherlands: AVG) regulations. As a follow-up to the investigation, SOMI can combat violations on behalf of concerned parents and enforce improved supervision.


This article was published on 27th July 2020 on Peuteren.nl in the Netherlands. Written by Marion Middendorp. Please find the English translation below.


“Europe has the GDPR, known in the Netherlands as the AVG. This has been created so that consumers remain the owner of their personal data and minors are digitally protected. TikTok continuously violates such standards in countries outside the EU on several points. That is distressing, not only because this happens without permission and even without the user's knowledge, but mainly because the company has already gone wrong with this several times. Children are insufficiently protected online against unwanted contacts with unknown adults, ”says Cor Wijtvliet, co-founder of SOMI. "That's why we decided to make a claim."

Mass claim for TikTok

SOMI is calling on concerned parents worldwide to report to the foundation when their children have used TikTok. By completing and signing the online participation form at Tiktokclaim.org, the consumer gives permission for SOMI to investigate violations based on the users' personal data. The participation form offers the consumer the opportunity to transfer his or her claim directly for collection and to initiate legal action for this. Registration costs you a one-time contribution of 17.50 euros, after which you can also participate in other actions of the foundation.

“The first step is thorough research. Only then can we build a potentially successful claim. We are now collecting the user data and research reports for this. Incidentally, the purpose of the claim is not to obtain compensation, that is by-catch. For us it is about protecting children and ensuring that the individual consumer is not powerless against the producers of popular apps. Together we are stronger and the claim is stronger, ”says Cor Wijtvliet.


TikTok in violation

The main objection is that TikTok was warned in 2019 that it does not adequately protect children from interactions with unknown adults and that supervision of this may still be completely inadequate at this time. With regard to the applicable GDPR regulations, the objections are more specifically as follows:

Article 8 GDPR - unlawful processing of personal data of minors

The processing of personal data of minors requires permission from a guardian. In the Netherlands this applies to children up to the age of 16. TikTok allows users to create an account from the age of 13. This 'security' is too easily circumvented.

Article 9 GDPR - unlawful processing of sensitive personal data

TikTok processes sensitive personal data, such as the information about the device, the location data of the device and the user activity. Even when the app is off. In addition, the TikTok app has been found to install 'browser trackers' that track the user's activities on the internet.

Article 12 GDPR - Transparent information, communication and further rules for exercising the rights of the data subject

It is unclear which data from users TikTok forwards to third parties (such as Facebook and analysis platform Appsflyer), which third parties these are, how those third parties handle the data and what they use that data for. TikTok tracks user behavior online, but offers no option to delete this data.

Article 25 GDPR - Data protection by design and by default settings

TikTok's design and default settings do not guarantee the data protection purposes referred to in Article 25 of the GDPR. TikTok has not taken appropriate technical and organizational measures to ensure that it only processes the personal data necessary for each specific purpose of the processing. On the contrary, the design and settings of the app are specifically designed to collect as much data as possible.

Article 32 GDPR - Security of processing

In accordance with Article 32, the controller and processor “shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. TikTok's security does not appear to be in line with Article 32 GDPR.

Recent research has revealed several vulnerabilities in the app, including:

Third-party access
Webview and remote webview that are enabled by default (and can therefore be used by external parties to gain access);

Java processing
The app seems to take text as commands and process them directly in Java;

High risk
The application that uses Java reflection and shortens the VM loading time can be exploited by malicious users and has a CVE score of 8.8 (corresponding to a 'high' risk);

Faulties
Other unexplained faults in the use of the app and the display of information by the app.

Article 45-49 GDPR - Transfer of data outside the EU

The study mentioned above indicates that 37.7 percent of the IP addresses that TikTok uses come from China and can be linked to the Hangzhou-based Alibaba. China is considered a non-safe third country under GDPR regulations. In order to process personal data of EU citizens outside the European Economic Area on this scale, TikTok requires a special authorization.

TikTok in the news

TikTok has been discredited worldwide. Investigations are being conducted into abuses with the popular app in the Netherlands, Europe and the US. In the Netherlands, the Dutch Data Protection Authority (AP) has been conducting research into safeguarding the privacy of users since May 2020.

The independent European body European Data Protection Board (EDPB) has also announced that it will set up a task force to investigate data processing by TikTok. The American company Penetrum has already completed an investigation into TikTok and has come to the conclusion that the app involves data collection and tracking, which includes sending digital profiles and user information to China.



Click here for the original article on Peuteren.nl (in Dutch)


Contact information

Visiting address: Mr. G. Groen van Prinstererlaan 88A,
1181 TR Amstelveen, The Netherlands
Postal address: Postbus 59692 1040 LD Amsterdam

Email: welcome@somi.nl

Tel: +31 85 208 85 01

KvK: 66169208

RSIN: 856425205

IBAN: NL 79 BUNQ 2066 6319 49

Social Media

See below where you can find us

Links
General Terms & Conditions SOMI App Terms & Conditions Privacy Statement Cookie Statement Responsible Disclosure Policy Crowdsourcing Participation Terms & Conditions SOMI Certificates Serie 2024

Copyright © 2024 Foundation for Market Information Research (SOMI).