Watchdog engages with TikTok over Chinese access to EU user data

Helen Dixon says app’s Chinese engineers may be accessing EU personal data

‘A number of challenges’ for DPC in regulating TikTok. Image: Omar Marques/ LightRocket via Getty
‘A number of challenges’ for DPC in regulating TikTok. Image: Omar Marques/ LightRocket via Getty

The State's data privacy watchdog is engaging with TikTok, the Chinese-owned video-sharing app, to see whether the user data of EU citizens is being sent to China.

The Data Protection Commissioner Helen Dixon told an online event on Wednesday that engineers in China may be able to see the data of EU residents who use the popular app.

“TikTok tells us that EU data is transferred to the US and not to China. However, we have understood that there is the possibility that maintenance and AI [artificial intelligence] engineers may be accessing the data,” Ms Dixon said.

“There’s a whole lot more we need to understand about all of that.”

READ SOME MORE

The Irish data regulator became TikTok’s supervisor for EU users in December under the one-stop-shop mechanism of the EU data privacy law, the General Data Protection Regulation, that allows multinationals to be regulated by one EU member state regulator for the whole of the bloc.

Companies with EU headquarters in Ireland can make the Irish Data Protection Commission (DPC) their lead supervisory authority for the EU to avoid dealing with multiple EU regulators.

Ms Dixon told a panel discussion hosted by European media network Euractiv that her office has had a “significant number of meetings” with TikTok since December and that, as a result of research conducted by the DPC, there may be issues about personal data being sent to China.

A spokesman for the DPC told The Irish Times it was “engaging with TikTok on these matters”.

EU citizens who use TikTok have their data stored in the US and Singapore under standard contractual clauses and the company, owned by Chinese parent company ByteDance, has plans to move storage of this data to a location in Europe.

However, TikTok’s employees in China are understood to have access to this data, including workers in its algorithm teams, content moderation and in product and engineering teams.

‘Challenges’

Ms Dixon told the event there were “a number of challenges” for the DPC in regulating TikTok and it had to “get to know and understand the service” along with its data protection team in Dublin. She said there was “intensive engagement” between the DPC and TikTok.

The Chinese company has made no public comment in response to the DPC’s remarks.

The Irish regulator has already had engagement with the Italian data privacy watchdog after it ordered TikTok in January to block the accounts of any users in Italy whose age it could not verify following the death of a 10-year-old girl who had been using the Chinese-owned app.

The Italian data protection authority said that although TikTok had committed to ban registration for children aged under 13, it was still easy to circumvent its age restrictions.

The Irish regulator has corresponded and had one face-to-face meeting with the Italian regulator over the issue and is using the incident to engage TikTok on what measures it is taking to verify whether children are operating its platform and what it is doing to safeguard them.

The Irish DPC is carrying out 27 "Big Tech" investigations into internet and social media multinationals including Facebook and Google under the one-stop-shop mechanism.

Simon Carswell

Simon Carswell

Simon Carswell is News Editor of The Irish Times